(ofbiz-framework) branch trunk updated: Fixed: Enhance URL verification to handle jar URLs

[jacopoc]

This is an automated email from the ASF dual-hosted git repository.

jacopoc pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new d469a7823a Fixed: Enhance URL verification to handle jar URLs
d469a7823a is described below

commit d469a7823afaa69cfb64874e018ef4548a622955
Author: Jacopo Cappellato <jacopo.cappell...@gmail.com>
AuthorDate: Wed Mar 11 08:33:15 2026 +0100

    Fixed: Enhance URL verification to handle jar URLs
---
 .../java/org/apache/ofbiz/base/util/UtilXml.java   | 23 ++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git 
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java 
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
index 5da1aa3627..414a1eacc5 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java
@@ -397,11 +397,26 @@ public final class UtilXml {
     public static Document readXmlDocument(URL url, boolean validate, boolean 
withPosition)
             throws SAXException, ParserConfigurationException, 
java.io.IOException {
 
-        // url.getHost().isEmpty() when reading an XML file
-        if (!HOSTHEADERSALLOWED.contains(url.getHost()) && 
!url.getHost().isEmpty()) {
-            Debug.logWarning("Domain " + url.getHost() + " not accepted to 
prevent host header injection."
+        // For jar: URLs (e.g. jar:http://host/file.jar!/entry), getHost() 
returns empty string
+        // because the host belongs to the inner URL, not the jar: wrapper. 
Extract it explicitly.
+        String urlHost = url.getHost();
+        if (urlHost.isEmpty() && "jar".equals(url.getProtocol())) {
+            String innerUrlStr = url.toString().substring("jar:".length());
+            int bangIdx = innerUrlStr.indexOf('!');
+            if (bangIdx >= 0) {
+                innerUrlStr = innerUrlStr.substring(0, bangIdx);
+            }
+            try {
+                urlHost = new URL(innerUrlStr).getHost();
+            } catch (java.net.MalformedURLException e) {
+                throw new IOException("Cannot determine host from jar URL: " + 
url);
+            }
+        }
+        // urlHost is empty for local URLs (e.g. file:), which are always 
allowed
+        if (!HOSTHEADERSALLOWED.contains(urlHost) && !urlHost.isEmpty()) {
+            Debug.logWarning("Domain " + urlHost + " not accepted to prevent 
host header injection."
                     + " You need to set host-headers-allowed property in 
security.properties file.", MODULE);
-            throw new IOException("Domain " + url.getHost() + " not accepted 
to prevent host header injection."
+            throw new IOException("Domain " + urlHost + " not accepted to 
prevent host header injection."
                     + " You need to set host-headers-allowed property in 
security.properties file.");
         }
         InputStream is = url.openStream();