This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new e4919d1 Fixed: IndexOutOfBoundsException on Entity Import
(OFBIZ-12273)
e4919d1 is described below
commit e4919d16ca33face162defb0e3a07373a8f9f374
Author: Jacques Le Roux <[email protected]>
AuthorDate: Tue Jul 6 14:30:39 2021 +0200
Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
Removes the localhost (and 127.0.0.1) OOTB.
Allows to use it through a "multi-property" (list) in security.properties.
---
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 27 ++++++++++++++++++----
framework/security/config/security.properties | 6 ++++-
2 files changed, 27 insertions(+), 6 deletions(-)
diff --git
a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index e4b0fc1..1ce2e00 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -1736,11 +1736,14 @@ public final class UtilHttp {
+ "([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)*)*"
+ "(#([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)?\\b");
- if (input.contains("component://")
- || input.contains("https://localhost";) // We consider
localhost a safe dev env
- || input.contains("https://127.0.0.1";)) {
- result.add(input);
- } else {
+ List<String> allowedProtocols = getAllowedProtocols();
+ for (String protocol : allowedProtocols) {
+ if (input.contains(protocol)) {
+ result.add(input);
+ }
+ }
+
+ if (result.isEmpty()) {
Matcher matcher = pattern.matcher(input);
while (matcher.find()) {
result.add(matcher.group());
@@ -1749,4 +1752,18 @@ public final class UtilHttp {
return result;
}
+
+ private static List<String> getAllowedProtocols() {
+ List<String> allowedProtocolList = new LinkedList<>();
+ allowedProtocolList.add("component://");
+ String allowedProtocols = UtilProperties.getPropertyValue("security",
"allowedProtocols");
+ if (UtilValidate.isNotEmpty(allowedProtocols)) {
+ List<String> allowedProtocolsList =
StringUtil.split(allowedProtocols, ",");
+ for (String protocol : allowedProtocolsList) {
+ allowedProtocolList.add(protocol);
+ }
+ }
+ return allowedProtocolList;
+ }
+
}
diff --git a/framework/security/config/security.properties
b/framework/security/config/security.properties
index e37ba2c..00d1e6f 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -236,4 +236,8 @@ afterlogin.lastvisit.show=
#-- uri used for login (cf jira OFBIZ-12047)
#-- it's a list, each uri should be separated by comma, without space
-login.uris=login
\ No newline at end of file
+login.uris=login
+
+#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can
uncomment the allowedProtocols property, here given as an example
+#-- You may also put other protocols you want to use, instead or with those
+allowedProtocols=localhost,127.0.0.1
