This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push: new d1eb477355 Fixed: Reject wrong URLs (OFBIZ-13006) d1eb477355 is described below commit d1eb4773550aee43ca18166791332e6e516a469f Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Thu Apr 11 14:49:34 2024 +0200 Fixed: Reject wrong URLs (OFBIZ-13006) Some URLs need to be rejected before they create problems --- .../java/org/apache/ofbiz/webapp/control/ControlFilter.java | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java index a22888b9f5..6a09e9b49b 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java @@ -160,6 +160,16 @@ public class ControlFilter extends HttpFilter { } } + // Reject wrong URLs + try { + String url = new URI(req.getRequestURL().toString()).normalize().toString(); + if (!req.getRequestURL().toString().equals(url)) { + throw new RuntimeException(); + } + } catch (URISyntaxException e) { + throw new RuntimeException(e); + } + // normalize to remove ".." special name usage to bypass webapp filter try { uri = new URI(uri).normalize().toString();