This is an automated email from the ASF dual-hosted git repository. jacopoc pushed a commit to branch release24.09 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 60c19683f908ebae9d169f6e4ff49869a74e728e Author: Jacopo Cappellato <[email protected]> AuthorDate: Wed Mar 11 08:33:15 2026 +0100 Fixed: Enhance URL verification to handle jar URLs --- .../java/org/apache/ofbiz/base/util/UtilXml.java | 23 ++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java index 5da1aa3627..414a1eacc5 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilXml.java @@ -397,11 +397,26 @@ public final class UtilXml { public static Document readXmlDocument(URL url, boolean validate, boolean withPosition) throws SAXException, ParserConfigurationException, java.io.IOException { - // url.getHost().isEmpty() when reading an XML file - if (!HOSTHEADERSALLOWED.contains(url.getHost()) && !url.getHost().isEmpty()) { - Debug.logWarning("Domain " + url.getHost() + " not accepted to prevent host header injection." + // For jar: URLs (e.g. jar:http://host/file.jar!/entry), getHost() returns empty string + // because the host belongs to the inner URL, not the jar: wrapper. Extract it explicitly. + String urlHost = url.getHost(); + if (urlHost.isEmpty() && "jar".equals(url.getProtocol())) { + String innerUrlStr = url.toString().substring("jar:".length()); + int bangIdx = innerUrlStr.indexOf('!'); + if (bangIdx >= 0) { + innerUrlStr = innerUrlStr.substring(0, bangIdx); + } + try { + urlHost = new URL(innerUrlStr).getHost(); + } catch (java.net.MalformedURLException e) { + throw new IOException("Cannot determine host from jar URL: " + url); + } + } + // urlHost is empty for local URLs (e.g. file:), which are always allowed + if (!HOSTHEADERSALLOWED.contains(urlHost) && !urlHost.isEmpty()) { + Debug.logWarning("Domain " + urlHost + " not accepted to prevent host header injection." + " You need to set host-headers-allowed property in security.properties file.", MODULE); - throw new IOException("Domain " + url.getHost() + " not accepted to prevent host header injection." + throw new IOException("Domain " + urlHost + " not accepted to prevent host header injection." + " You need to set host-headers-allowed property in security.properties file."); } InputStream is = url.openStream();
