[ https://issues.apache.org/jira/browse/OFBIZ-8302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17224184#comment-17224184 ]
ASF subversion and git services commented on OFBIZ-8302: -------------------------------------------------------- Commit 9cfd5a73e1a1a8df1056a025b4180e991905b76a in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9cfd5a7 ] Fixed: Sorting of lists generates undesired results (OFBIZ-8302) For this issue (OFBIZ-8302) I reverted the point 1 of http://svn.apache.org/viewvc?view=revision&revision=1759555 As reported by Alvaro Munoz from GH security team it's not sufficient: <<the second part of the fix was not effective, since the attacker can close the raw string context with a double quote and write a new attribute or even close the macro tag and write arbitrary FreeMarker code.>> So this removes the 2nd part and add better solution to fix the OFBIZ-8302 issue The solution is to encode only the QueryString and to handle it correctly in UtilHttp::getParameterMap. I must say it was not a sinecure! # Conflicts: # framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java # framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java > Sorting of lists generates undesired results > -------------------------------------------- > > Key: OFBIZ-8302 > URL: https://issues.apache.org/jira/browse/OFBIZ-8302 > Project: OFBiz > Issue Type: Bug > Components: product > Affects Versions: Release Branch 15.12, Trunk > Reporter: Pierre Smits > Assignee: Jacques Le Roux > Priority: Major > Fix For: Release Branch 13.07, Release Branch 14.12, 16.11.01, > Release Branch 15.12 > > > When trying to sort the overview of products in the product catalog on one of > the options, a blank screen is returned. > As an example the following returned url: > {code} > https://ofbiz-vm.apache.org:8443/catalog/control/https%3A%2F%2Fofbiz-vm.apache.org%3A8443%2Fcatalog%2Fcontrol%2FFindProduct%3FsortField%3DproductId%26amp%3BnoConditionFind%3DY%26amp%3BproductId_ic%3DY%26amp%3BproductId_op%3Dcontains%26amp%3BinternalName_ic%3DY%26amp%3BinternalName_op%3Dcontains > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005)