[
https://issues.apache.org/jira/browse/OFBIZ-13175?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17902257#comment-17902257
]
Jacques Le Roux commented on OFBIZ-13175:
-----------------------------------------
Actually only refusing access to webtools/control/TestSuiteInfo should be
enough, see bottom of OFBIZ-12312
> The links in webtools/control/TestSuiteInfo are not accepted
> ------------------------------------------------------------
>
> Key: OFBIZ-13175
> URL: https://issues.apache.org/jira/browse/OFBIZ-13175
> Project: OFBiz
> Issue Type: Bug
> Components: framework/webtools
> Affects Versions: 24.09.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
>
> The error is
> bq.ControlFilter |E| For security reason this URL is not accepted
> But that's not the initial reason.
> In the initial URI, the links contains a double slash "//". So when the query
> string is normalized it's not alike the initial one, hence the reject.
> It seems that in ArtifactInfoForms::TestSuiteInfo the "//" is added, after
> "RunTest" in
> bq.<hyperlink description="run suite"
> target="RunTest/${parameters.compName}/${suiteName}"/>
> and
> bq.<hyperlink description="run case"
> target="RunTest/${parameters.compName}/${suiteName}/${caseName}"/>
> But removing the slash just after "RunTest" in
> ArtifactInfoForms::TestSuiteInfo, does not works.
> I thought a quick and temporary a workaround would be to replace "//" by "/"
> in the initial query string in ControlFilter. But that's does not work either.
> At the end of the process, with the returned URI
> bq.webtools/control/RunTest//entitytests
> we the get this error
> {noformat}
> 2024-11-14 16:14:31,865 |sse-nio-8443-exec-23 |ControlServlet
> |E| Error in request handler:
> org.apache.ofbiz.webapp.control.RequestHandlerException: Unknown request
> [RunTest]; this request does not exist or cannot be called directly.
> at
> org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:409)
> ~[main/:?]
> {noformat}
> Maybe we could then redirect to
> bq.webtools/control/RunTest/entitytests
> But all that look like ugly workarounds and I reckon we can do better by
> tracing the initial reason. So I let it like that for now.
> Finally, it's not related to "recent" changes in ControlFilter. If I comment
> out the whole "// Reject wrong URLs" block we still get the last error
> message above.
> The issue could be related to OFBIZ-12312, or other changes since maybe
> unrelated to OFBIZ-12312...
> I have also spotted that in ArtifactInfoScreens::TestSuiteInfo in the line
> bq.<screenlet title="Component: ${parameters.compName}">
> compName has no value ; parameters.componentName is always "webtools" so
> can't be used instead.
> There is also an error in 18.12 but it's not the same:
> bq.java.lang.IllegalArgumentException: Error running script at location
> component://webtools/groovyScripts/artifactinfo/TestSuiteInfo.groovy]:
> java.lang.IllegalArgumentException: Error reading XML document from
> ResourceHandler for loader [main] and location [testdef/ProductTest.xml]
> I did not dig further.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
