This is an automated email from the ASF dual-hosted git repository.
jacopoc pushed a change to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
from fa11d34490 Improved: Move solr component to Attic (OFBIZ-13220)
new d8a62e8f5c Improved: Rename 2 UtilValidate class methods for clarity
(OFBIZ-13160) Backported from trunk efb43da46a with minor modifications.
new 6ba1356af6 Implemented: Remove demo secret keys from security.property
and add a gradle task to generate and set the keys Backported from trunk
185c9a0406 with minor modifications.
new 8f8ba1bdea Improved: Enhance GroovyUtil with secure AST customizations
for eval() expressions to implement an execution sandbox
new 6adadde4fb Implemented: Introduce RestrictedStaticModels to enforce
whitelist access to static methods and fields by means of the FreeMarker
"Static" shared variable
new 9734714eb8 Improved: Enhance data resource validation and permission
checks Backported from trunk af8ee514a2 with minor modifications.
new dd82358825 Fixed: Update viewShipmentLabel request to require
authentication
new b6ae5181cf Fixed: Validate URLs in widget factories to reject invalid
locations
new fee3505307 Fixed: Enhance sanitization of FreeMarker parameters to
check both strings and lists
new 60c19683f9 Fixed: Enhance URL verification to handle jar URLs
new 6b519ed996 Improved: Enhance file upload validation with allowlist and
path checks Backported from trunk da0febe182 with minor modifications.
The 10 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
applications/content/servicedef/services_data.xml | 2 +
.../org/apache/ofbiz/content/data/DataEvents.java | 10 +-
.../ofbiz/content/data/DataResourceWorker.java | 272 +++++++++++++-
.../product/catalog/category/EditCategory.groovy | 6 +
.../config/EditProductConfigItemContent.groovy | 6 +
.../catalog/imagemanagement/ImageUpload.groovy | 6 +
.../catalog/imagemanagement/SetDefaultImage.groovy | 12 +
.../catalog/product/EditProductContent.groovy | 6 +
.../ofbiz/product/product/ProductServices.java | 74 +++-
.../product/webapp/facility/WEB-INF/controller.xml | 2 +-
build.gradle | 33 +-
.../org/apache/ofbiz/base/util/GroovyUtil.java | 45 ++-
.../ofbiz/base/util/HttpRequestFileUpload.java | 19 +-
.../org/apache/ofbiz/base/util/ScriptUtil.java | 4 +-
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 2 +-
.../org/apache/ofbiz/base/util/UtilValidate.java | 12 +-
.../java/org/apache/ofbiz/base/util/UtilXml.java | 23 +-
.../ofbiz/base/util/template/FreeMarkerWorker.java | 22 +-
.../base/util/template/RestrictedStaticModels.java | 178 ++++++++++
.../apache/ofbiz/base/util/UtilValidateTests.java | 46 +++
.../apache/ofbiz/entity/util/EntitySaxReader.java | 4 +-
.../config/freemarker-whitelist.properties | 159 +++++++++
framework/security/config/security.properties | 50 ++-
.../apache/ofbiz/security/SecuredFreemarker.java | 45 ++-
.../org/apache/ofbiz/security/SecuredUpload.java | 389 ++++++++++++++++++++-
.../ofbiz/service/engine/EntityAutoEngine.java | 7 +
.../apache/ofbiz/webapp/control/ControlFilter.java | 2 +-
.../apache/ofbiz/webapp/stats/VisitHandler.java | 2 +-
.../apache/ofbiz/webtools/WebToolsServices.java | 2 +-
.../org/apache/ofbiz/widget/model/FormFactory.java | 7 +
.../org/apache/ofbiz/widget/model/GridFactory.java | 7 +
.../org/apache/ofbiz/widget/model/MenuFactory.java | 3 +
.../apache/ofbiz/widget/model/ScreenFactory.java | 2 +-
.../apache/ofbiz/widget/model/ThemeFactory.java | 2 +-
.../org/apache/ofbiz/widget/model/TreeFactory.java | 4 +
35 files changed, 1381 insertions(+), 84 deletions(-)
create mode 100644
framework/base/src/main/java/org/apache/ofbiz/base/util/template/RestrictedStaticModels.java
create mode 100644
framework/base/src/test/java/org/apache/ofbiz/base/util/UtilValidateTests.java
create mode 100644 framework/security/config/freemarker-whitelist.properties
