[jira] [Commented] (OFBIZ-8302) Sorting of lists generates undesired results

Sat, 31 Oct 2020 12:24:05 -0700 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-8302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17224184#comment-17224184
 ] 

ASF subversion and git services commented on OFBIZ-8302:
--------------------------------------------------------

Commit 9cfd5a73e1a1a8df1056a025b4180e991905b76a in ofbiz-framework's branch 
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9cfd5a7 ]

Fixed: Sorting of lists generates undesired results (OFBIZ-8302)

For this issue (OFBIZ-8302) I reverted the point 1 of
http://svn.apache.org/viewvc?view=revision&revision=1759555

As reported by Alvaro Munoz from GH security team it's not sufficient:
<<the second part of the fix was not effective, since the attacker can close the
raw string context with a double quote and write a new attribute or even close
the macro tag and write arbitrary FreeMarker code.>>

So this removes the 2nd part and add better solution to fix the OFBIZ-8302 issue
The solution is to encode only the QueryString and to handle it correctly in
UtilHttp::getParameterMap. I must say it was not a sinecure!

# Conflicts:
#       framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
#       
framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java


> Sorting of lists generates undesired results
> --------------------------------------------
>
>                 Key: OFBIZ-8302
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-8302
>             Project: OFBiz
>          Issue Type: Bug
>          Components: product
>    Affects Versions: Release Branch 15.12, Trunk
>            Reporter: Pierre Smits
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: Release Branch 13.07, Release Branch 14.12, 16.11.01, 
> Release Branch 15.12
>
>
> When trying to sort the overview of products in the product catalog on one of 
> the options, a blank screen is returned.
> As an example the following returned url:
> {code}
> https://ofbiz-vm.apache.org:8443/catalog/control/https%3A%2F%2Fofbiz-vm.apache.org%3A8443%2Fcatalog%2Fcontrol%2FFindProduct%3FsortField%3DproductId%26amp%3BnoConditionFind%3DY%26amp%3BproductId_ic%3DY%26amp%3BproductId_op%3Dcontains%26amp%3BinternalName_ic%3DY%26amp%3BinternalName_op%3Dcontains
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to