Hello,
in line
Le 23/10/2024 à 09:24, jler...@apache.org a écrit :
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
[...]
diff --git
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 9aa1734515..97fc721cc1 100644
---
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
[...]
@@ -169,7 +171,11 @@ public class ControlFilter extends HttpFilter {
String queryString = req.getQueryString();
if (queryString != null) {
queryString = URLDecoder.decode(queryString, "UTF-8");
- if (UtilValidate.isUrl(queryString)) {
+ if (UtilValidate.isUrl(queryString)
+ || !SecuredUpload.isValidText(queryString,
Collections.emptyList())
+ ||
!SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(),
Collections.emptyList())
+ ||
!SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(),
Collections.emptyList())
+ ||
!SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(),
Collections.emptyList())) { // ...
Debug.logError("For security reason this URL is not
accepted", MODULE);
throw new RuntimeException("For security reason this URL is
not accepted");
}
Perhaps this test would be a few hard :)
Oct 23, 2024 11:45:55 AM org.apache.catalina.core.StandardWrapperValve
invoke
SEVERE: Servlet.service() for servlet [ControlServlet] in context with
path [/workeffort] threw exception
java.lang.IllegalArgumentException: Input byte array has wrong 4-byte
ending unit
at java.base/java.util.Base64$Decoder.decode0(Base64.java:838)
at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
at
org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:176)
at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:53)
After login when I switch on new webapp with the externalKey present on
url
https://localhost:8443/workeffort/control/main?externalLoginKey=EL5ce9fb0f-1db8-4a1e-9824-cbd17cdd29d1
I'll investigate.
Nicolas