This is an automated email from the ASF dual-hosted git repository.
mbrohl pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 598f70f501 Improved: Make loading of data containing urls configurable
(OFBIZ-12670)
598f70f501 is described below
commit 598f70f50116bb4aaae950b35c8f2906613bc9ab
Author: Michael Brohl <michael.br...@ecomify.de>
AuthorDate: Tue Jul 19 13:19:51 2022 +0200
Improved: Make loading of data containing urls configurable
(OFBIZ-12670)
Introduces a SystemProperty security/security.datafile.loadurls.enable
which can be set to true to allow loading of urls in the XML import.
---
framework/webtools/config/WebtoolsUiLabels.xml | 4 ++++
.../main/java/org/apache/ofbiz/webtools/WebToolsServices.java | 9 ++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/framework/webtools/config/WebtoolsUiLabels.xml
b/framework/webtools/config/WebtoolsUiLabels.xml
index cc06e39504..824f5a567e 100644
--- a/framework/webtools/config/WebtoolsUiLabels.xml
+++ b/framework/webtools/config/WebtoolsUiLabels.xml
@@ -2113,6 +2113,10 @@
<value xml:lang="zh">错误:读取文件名 ${filename}:${errorString}</value>
<value xml:lang="zh-TW">錯誤:讀取檔案名 ${filename}:${errorString}</value>
</property>
+ <property key="WebtoolsErrorDatafileLoadUrlNotEnabled">
+ <value xml:lang="en">ERROR: For security reason HTTP URLs are not
accepted, see OFBIZ-12304. Rather load your data from a file or set
SystemProperty security.datafile.loadurls.enable = true</value>
+ <value xml:lang="de">FEHLER: Aus Sicherheitsgründen wird das Laden von
HTTP Urls nicht erlaubt. Laden Sie die Daten über eine Datei oder setzen Sie
die SystemProperty security.datafile.loadurls.enable = true.</value>
+ </property>
<property key="WebtoolsErrorReadingTemplateFile">
<value xml:lang="en">ERROR: reading template file ${filename}:
${errorString}</value>
<value xml:lang="fr">ERREUR : lors de la lecture du fichier modèle
${filename}, une exception c'est levée (${errorString})</value>
diff --git
a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index b7f5b56d76..e9af09091b 100644
---
a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++
b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -84,6 +84,7 @@ import org.apache.ofbiz.entity.util.EntityDataLoader;
import org.apache.ofbiz.entity.util.EntityListIterator;
import org.apache.ofbiz.entity.util.EntityQuery;
import org.apache.ofbiz.entity.util.EntitySaxReader;
+import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.ofbiz.entityext.EntityGroupUtil;
import org.apache.ofbiz.security.Security;
import org.apache.ofbiz.service.DispatchContext;
@@ -108,6 +109,7 @@ public class WebToolsServices {
public static Map<String, Object> entityImport(DispatchContext dctx,
Map<String, ? extends Object> context) {
GenericValue userLogin = (GenericValue) context.get("userLogin");
LocalDispatcher dispatcher = dctx.getDispatcher();
+ Delegator delegator = dctx.getDelegator();
Locale locale = (Locale) context.get("locale");
List<String> messages = new LinkedList<String>();
@@ -143,10 +145,11 @@ public class WebToolsServices {
// #############################
// FM Template
// #############################
- if (UtilValidate.urlInString(fulltext)) {
+ if (UtilValidate.urlInString(fulltext)
+ &&
!"true".equals(EntityUtilProperties.getPropertyValue("security",
"security.datafile.loadurls.enable", "false", delegator))) {
Debug.logError("For security reason HTTP URLs are not accepted,
see OFBIZ-12304", module);
- Debug.logInfo("Rather load your data from a file", module);
- return null;
+ Debug.logInfo("Rather load your data from a file or set
SystemProperty security.datafile.loadurls.enable = true", module);
+ return ServiceUtil.returnError(UtilProperties.getMessage(resource,
"WebtoolsErrorDatafileLoadUrlNotEnabled", locale));
}
if (UtilValidate.isNotEmpty(fmfilename) &&
(UtilValidate.isNotEmpty(fulltext) || url != null)) {
File fmFile = new File(fmfilename);
