Re: (ofbiz-framework) branch trunk updated: Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Wed, 23 Oct 2024 02:56:10 -0700 

Hello,

in line

Le 23/10/2024 à 09:24, jler...@apache.org a écrit :

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
[...]
diff --git 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index 9aa1734515..97fc721cc1 100644
--- 
a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ 
b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
[...]
@@ -169,7 +171,11 @@ public class ControlFilter extends HttpFilter { 
              String queryString = req.getQueryString();
              if (queryString != null) {
                  queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)) {
+                if (UtilValidate.isUrl(queryString)
+                        || !SecuredUpload.isValidText(queryString, 
Collections.emptyList())
+                        || 
!SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(), 
Collections.emptyList())
+                        || 
!SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(),
 Collections.emptyList())
+                        || 
!SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(),
 Collections.emptyList())) { // ...
                      Debug.logError("For security reason this URL is not 
accepted", MODULE);
                      throw new RuntimeException("For security reason this URL is 
not accepted");
                  }


Perhaps this test would be a few hard :)
Oct 23, 2024 11:45:55 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [ControlServlet] in context with path [/workeffort] threw exception java.lang.IllegalArgumentException: Input byte array has wrong 4-byte ending unit 
    at java.base/java.util.Base64$Decoder.decode0(Base64.java:838)
    at java.base/java.util.Base64$Decoder.decode(Base64.java:566)
    at java.base/java.util.Base64$Decoder.decode(Base64.java:589)
    at org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:176) 
    at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:53)
After login when I switch on new webapp with the externalKey present on url https://localhost:8443/workeffort/control/main?externalLoginKey=EL5ce9fb0f-1db8-4a1e-9824-cbd17cdd29d1 

I'll investigate.

Nicolas

Reply via email to