Fixed: Logout may create a "HTTP Status 500 - Internal Server Error" …

…(OFBIZ-13136) Using <tracking-mode>COOKIE</tracking-mode> did not work. A workaround is to check we don't need to handle the CVE-2024-32113, bypassing by using if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
apache · Sep 8, 2024 · ff72e55 · ff72e55 · saicharanreddykowkuntla · Sep 26, 2024
1 parent 1940a9d
commit ff72e55
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -134,17 +134,19 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             String requestUri = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
 
             // Reject wrong URLs
-            try {
-                String url = new URI(((HttpServletRequest) request).getRequestURL().toString())
-                        .normalize().toString()
-                        .replaceAll(";", "")
-                        .replaceAll("(?i)%2e", "");
-                if (!((HttpServletRequest) request).getRequestURL().toString().equals(url)) {
-                    Debug.logError("For security reason this URL is not accepted", module);
-                    throw new RuntimeException("For security reason this URL is not accepted");
+            if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
+                try {
+                    String url = new URI(((HttpServletRequest) request).getRequestURL().toString())
+                            .normalize().toString()
+                            .replaceAll(";", "")
+                            .replaceAll("(?i)%2e", "");
+                    if (!((HttpServletRequest) request).getRequestURL().toString().equals(url)) {
+                        Debug.logError("For security reason this URL is not accepted", module);
+                        throw new RuntimeException("For security reason this URL is not accepted");
+                    }
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException(e);
                 }
-            } catch (URISyntaxException e) {
-                throw new RuntimeException(e);
             }
 
             int offset = requestUri.indexOf("/", 1);