Skip to content

Commit

Permalink
Improved: Prevent URL parameters manipulation (OFBIZ-13147)
Browse files Browse the repository at this point in the history
With previous commits I put changes tests in ControlFilter.java that are no
longer needed. So this removes the whole block. A better solution will be tested
in trunk and hopefully backported later.
  • Loading branch information
JacquesLeRoux committed Nov 8, 2024
1 parent 42d0ad8 commit de26aae
Showing 1 changed file with 0 additions and 15 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;

Expand All @@ -36,9 +34,7 @@
import javax.servlet.http.HttpServletResponse;

import org.apache.ofbiz.base.util.Debug;
import org.apache.ofbiz.base.util.UtilValidate;
import org.apache.ofbiz.entity.GenericValue;
import org.apache.ofbiz.security.SecuredUpload;
import org.apache.ofbiz.security.SecurityUtil;

/*
Expand Down Expand Up @@ -143,17 +139,6 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha

// Reject wrong URLs
if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
String queryString = httpRequest.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
if (UtilValidate.isUrl(queryString)
|| !SecuredUpload.isValidText(queryString, Collections.emptyList())
&& isSolrTest()) {
Debug.logError("For security reason this URL is not accepted", module);
throw new RuntimeException("For security reason this URL is not accepted");
}
}

try {
String url = new URI(((HttpServletRequest) request).getRequestURL().toString())
.normalize().toString()
Expand Down

0 comments on commit de26aae

Please sign in to comment.