This is an automated email from the ASF dual-hosted git repository. jacopoc pushed a commit to branch release24.09 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit b6ae5181cf13abcfc8e676e5ea9e912e4cc8313d Author: Jacopo Cappellato <[email protected]> AuthorDate: Wed Mar 11 08:32:00 2026 +0100 Fixed: Validate URLs in widget factories to reject invalid locations --- .../src/main/java/org/apache/ofbiz/widget/model/FormFactory.java | 7 +++++++ .../src/main/java/org/apache/ofbiz/widget/model/GridFactory.java | 7 +++++++ .../src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java | 3 +++ .../src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java | 2 +- .../src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java | 4 ++++ 5 files changed, 22 insertions(+), 1 deletion(-) diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java index d435432040..80753d4d07 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/FormFactory.java @@ -29,6 +29,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.UtilHttp; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.UtilXml; import org.apache.ofbiz.base.util.cache.UtilCache; import org.apache.ofbiz.entity.Delegator; @@ -55,6 +56,9 @@ public class FormFactory { VisualTheme visualTheme, DispatchContext dispatchContext) throws IOException, SAXException, ParserConfigurationException { URL formFileUrl = FlexibleLocation.resolveLocation(resourceName); + if (formFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(formFileUrl.toString())) { + throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); + } Document formFileDoc = UtilXml.readXmlDocument(formFileUrl, true, true); return readFormDocument(formFileDoc, entityModelReader, visualTheme, dispatchContext, resourceName); } @@ -68,6 +72,9 @@ public class FormFactory { ModelForm modelForm = FORM_LOCATION_CACHE.get(cacheKey); if (modelForm == null) { URL formFileUrl = FlexibleLocation.resolveLocation(resourceName); + if (formFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(formFileUrl.toString())) { + throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); + } Document formFileDoc = UtilXml.readXmlDocument(formFileUrl, true, true); if (formFileDoc == null) { throw new IllegalArgumentException("Could not find resource [" + resourceName + "]"); diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java index 71875932ef..a615114ad6 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/GridFactory.java @@ -30,6 +30,7 @@ import javax.xml.parsers.ParserConfigurationException; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.UtilHttp; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.UtilXml; import org.apache.ofbiz.base.util.cache.UtilCache; import org.apache.ofbiz.entity.Delegator; @@ -57,6 +58,9 @@ public class GridFactory { VisualTheme visualTheme, DispatchContext dispatchContext) throws IOException, SAXException, ParserConfigurationException { URL gridFileUrl = FlexibleLocation.resolveLocation(resourceName); + if (gridFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(gridFileUrl.toString())) { + throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); + } Document gridFileDoc = UtilXml.readXmlDocument(gridFileUrl, true, true); return readGridDocument(gridFileDoc, entityModelReader, visualTheme, dispatchContext, resourceName); } @@ -70,6 +74,9 @@ public class GridFactory { ModelGrid modelGrid = GRID_LOCATION_CACHE.get(cacheKey); if (modelGrid == null) { URL gridFileUrl = FlexibleLocation.resolveLocation(resourceName); + if (gridFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(gridFileUrl.toString())) { + throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); + } Document gridFileDoc = UtilXml.readXmlDocument(gridFileUrl, true, true); if (gridFileDoc == null) { throw new IllegalArgumentException("Could not find resource [" + resourceName + "]"); diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java index 5f9ada6b69..91455398cf 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/MenuFactory.java @@ -107,6 +107,9 @@ public class MenuFactory { Map<String, ModelMenu> modelMenuMap = MENU_LOCATION_CACHE.get(keyName); if (modelMenuMap == null) { URL menuFileUrl = FlexibleLocation.resolveLocation(resourceName); + if (menuFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(menuFileUrl.toString())) { + throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); + } Document menuFileDoc = UtilXml.readXmlDocument(menuFileUrl, true, true); modelMenuMap = readMenuDocument(menuFileDoc, resourceName, visualTheme); MENU_LOCATION_CACHE.putIfAbsent(keyName, modelMenuMap); diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java index abfd305737..4a8f942e73 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/ThemeFactory.java @@ -180,7 +180,7 @@ public final class ThemeFactory { if (modelTheme == null) { URL themeFileUrl = null; themeFileUrl = FlexibleLocation.resolveLocation(resourceName); - if (themeFileUrl == null) { + if (themeFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(themeFileUrl.toString())) { throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); } Document themeFileDoc = UtilXml.readXmlDocument(themeFileUrl, true, true); diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java index babc7553d1..c32e381741 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/model/TreeFactory.java @@ -26,6 +26,7 @@ import java.util.Map; import javax.xml.parsers.ParserConfigurationException; import org.apache.ofbiz.base.location.FlexibleLocation; +import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.UtilXml; import org.apache.ofbiz.base.util.cache.UtilCache; import org.apache.ofbiz.entity.Delegator; @@ -50,6 +51,9 @@ public class TreeFactory { Map<String, ModelTree> modelTreeMap = TREE_LOCATION_CACHE.get(resourceName); if (modelTreeMap == null) { URL treeFileUrl = FlexibleLocation.resolveLocation(resourceName); + if (treeFileUrl == null || UtilValidate.isUrlInStringAndDoesNotStartByComponentProtocol(treeFileUrl.toString())) { + throw new IllegalArgumentException("Could not resolve location to URL: " + resourceName); + } Document treeFileDoc = UtilXml.readXmlDocument(treeFileUrl, true, true); modelTreeMap = readTreeDocument(treeFileDoc, delegator, dispatcher, resourceName); modelTreeMap = TREE_LOCATION_CACHE.putIfAbsentAndGet(resourceName, modelTreeMap);
