This is an automated email from the ASF dual-hosted git repository.
jacopoc pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 8b1f839447 Fixed: Validate URLs in widget factories to reject invalid
locations
8b1f839447 is described below
commit 8b1f8394477d86dee1045edfe2dd5ea0e8fd6e0a
Author: Jacopo Cappellato <[email protected]>
AuthorDate: Wed Mar 11 08:32:00 2026 +0100
Fixed: Validate URLs in widget factories to reject invalid locations
---
.../src/main/java/org/apache/ofbiz/widget/model/FormFactory.java | 7 +++++++
.../src/main/java/org/apache/ofbiz/widget/model/GridFactory.java | 7 +++++++
.../src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java | 3 +++
.../src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java | 2 +-
.../src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java | 4 ++++
5 files changed, 22 insertions(+), 1 deletion(-)
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java
index 2987e3f16a..41b185ec16 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java
@@ -29,6 +29,7 @@ import javax.xml.parsers.ParserConfigurationException;
import org.apache.ofbiz.base.location.FlexibleLocation;
import org.apache.ofbiz.base.util.UtilHttp;
+import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.base.util.UtilXml;
import org.apache.ofbiz.base.util.cache.UtilCache;
import org.apache.ofbiz.entity.Delegator;
@@ -55,6 +56,9 @@ public class FormFactory {
VisualTheme visualTheme,
DispatchContext dispatchContext)
throws IOException, SAXException, ParserConfigurationException {
URL formFileUrl = FlexibleLocation.resolveLocation(resourceName);
+ if (formFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(formFileUrl.toString()))
{
+ throw new IllegalArgumentException("Could not resolve location to
URL: " + resourceName);
+ }
Document formFileDoc = UtilXml.readXmlDocument(formFileUrl, true,
true);
return readFormDocument(formFileDoc, entityModelReader, visualTheme,
dispatchContext, resourceName);
}
@@ -68,6 +72,9 @@ public class FormFactory {
ModelForm modelForm = FORM_LOCATION_CACHE.get(cacheKey);
if (modelForm == null) {
URL formFileUrl = FlexibleLocation.resolveLocation(resourceName);
+ if (formFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(formFileUrl.toString()))
{
+ throw new IllegalArgumentException("Could not resolve location
to URL: " + resourceName);
+ }
Document formFileDoc = UtilXml.readXmlDocument(formFileUrl, true,
true);
if (formFileDoc == null) {
throw new IllegalArgumentException("Could not find resource ["
+ resourceName + "]");
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java
index c8a8e86c04..f7907b310d 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java
@@ -30,6 +30,7 @@ import javax.xml.parsers.ParserConfigurationException;
import org.apache.ofbiz.base.location.FlexibleLocation;
import org.apache.ofbiz.base.util.UtilHttp;
+import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.base.util.UtilXml;
import org.apache.ofbiz.base.util.cache.UtilCache;
import org.apache.ofbiz.entity.Delegator;
@@ -57,6 +58,9 @@ public class GridFactory {
VisualTheme
visualTheme, DispatchContext dispatchContext)
throws IOException, SAXException, ParserConfigurationException {
URL gridFileUrl = FlexibleLocation.resolveLocation(resourceName);
+ if (gridFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(gridFileUrl.toString()))
{
+ throw new IllegalArgumentException("Could not resolve location to
URL: " + resourceName);
+ }
Document gridFileDoc = UtilXml.readXmlDocument(gridFileUrl, true,
true);
return readGridDocument(gridFileDoc, entityModelReader, visualTheme,
dispatchContext, resourceName);
}
@@ -70,6 +74,9 @@ public class GridFactory {
ModelGrid modelGrid = GRID_LOCATION_CACHE.get(cacheKey);
if (modelGrid == null) {
URL gridFileUrl = FlexibleLocation.resolveLocation(resourceName);
+ if (gridFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(gridFileUrl.toString()))
{
+ throw new IllegalArgumentException("Could not resolve location
to URL: " + resourceName);
+ }
Document gridFileDoc = UtilXml.readXmlDocument(gridFileUrl, true,
true);
if (gridFileDoc == null) {
throw new IllegalArgumentException("Could not find resource ["
+ resourceName + "]");
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java
index e960ef8f85..afbfebde0a 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java
@@ -107,6 +107,9 @@ public class MenuFactory {
Map<String, ModelMenu> modelMenuMap = MENU_LOCATION_CACHE.get(keyName);
if (modelMenuMap == null) {
URL menuFileUrl = FlexibleLocation.resolveLocation(resourceName);
+ if (menuFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(menuFileUrl.toString()))
{
+ throw new IllegalArgumentException("Could not resolve location
to URL: " + resourceName);
+ }
Document menuFileDoc = UtilXml.readXmlDocument(menuFileUrl, true,
true);
modelMenuMap = readMenuDocument(menuFileDoc, resourceName,
visualTheme);
MENU_LOCATION_CACHE.putIfAbsent(keyName, modelMenuMap);
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java
index 9f6764b923..9ba0d15e48 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java
@@ -180,7 +180,7 @@ public final class ThemeFactory {
if (modelTheme == null) {
URL themeFileUrl = null;
themeFileUrl =
FlexibleLocation.resolveLocation(resourceName);
- if (themeFileUrl == null) {
+ if (themeFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(themeFileUrl.toString()))
{
throw new IllegalArgumentException("Could not
resolve location to URL: " + resourceName);
}
Document themeFileDoc =
UtilXml.readXmlDocument(themeFileUrl, true, true);
diff --git
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java
index babc7553d1..c32e381741 100644
---
a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java
+++
b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java
@@ -26,6 +26,7 @@ import java.util.Map;
import javax.xml.parsers.ParserConfigurationException;
import org.apache.ofbiz.base.location.FlexibleLocation;
+import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.base.util.UtilXml;
import org.apache.ofbiz.base.util.cache.UtilCache;
import org.apache.ofbiz.entity.Delegator;
@@ -50,6 +51,9 @@ public class TreeFactory {
Map<String, ModelTree> modelTreeMap =
TREE_LOCATION_CACHE.get(resourceName);
if (modelTreeMap == null) {
URL treeFileUrl = FlexibleLocation.resolveLocation(resourceName);
+ if (treeFileUrl == null ||
UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(treeFileUrl.toString()))
{
+ throw new IllegalArgumentException("Could not resolve location
to URL: " + resourceName);
+ }
Document treeFileDoc = UtilXml.readXmlDocument(treeFileUrl, true,
true);
modelTreeMap = readTreeDocument(treeFileDoc, delegator,
dispatcher, resourceName);
modelTreeMap = TREE_LOCATION_CACHE.putIfAbsentAndGet(resourceName,
modelTreeMap);
