[
https://issues.apache.org/jira/browse/OFBIZ-13162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17901672#comment-17901672
]
ASF subversion and git services commented on OFBIZ-13162:
---------------------------------------------------------
Commit c36b6f555762e031a9f087af2818294a4d536f20 in ofbiz-framework's branch
refs/heads/release24.09 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=c36b6f5557 ]
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
This follows Leïla comment. It simplifies the SecuredUpload::isValidEncodedText
content and renames it isNotValidEncodedText
Also 3 new deniedWebShellTokens are added, some more to come
To quickly test on trunk demo the fix from OFBIZ-13162 is temporarily reverted
Conflict handled by hand in SecuredUpload.java
> [SECURITY] (CVE-2024-48962) Enhance Parameter Encoding in MacroMenuRenderer
> ----------------------------------------------------------------------------
>
> Key: OFBIZ-13162
> URL: https://issues.apache.org/jira/browse/OFBIZ-13162
> Project: OFBiz
> Issue Type: Sub-task
> Reporter: Deepak Dixit
> Assignee: Deepak Dixit
> Priority: Major
> Fix For: 18.12.17
>
>
> {{MacroMenuRenderer}} should utilize {{UtilCodec.SimpleEncoder}} to encode
> parameter values when available.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
