[ 
https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518055#comment-17518055
 ] 

ASF subversion and git services commented on OFBIZ-12594:
---------------------------------------------------------

Commit b5370cbf51f9442b70ff61ed288fd442ff657ef9 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b5370cbf51 ]

Fixed: Prevent Freemarker interpolation in fields (OFBIZ-12594)

I did not catch an issue put in by this feature because BuildBot is not running
for few days (see INFRA-23076) and i don't always run tests locally (relying on
BuildBot and GH actions don't run tests).

This is the error Solr tests throw else:
<<Unfortunately, the stream was empty / not available. This may be caused by
another servlet filter calling ServletRequest.getParameter*() before
SolrDispatchFilter>>

Got an issue with previous commit (I guess confusion with 22.01)


> Prevent Freemarker interpolation in fields
> ------------------------------------------
>
>                 Key: OFBIZ-12594
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12594
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL APPLICATIONS, ALL PLUGINS
>    Affects Versions: 18.12.06, 22.01.01
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>             Fix For: 18.12.06, 22.01.01
>
>
> OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker 
> exploits. But it's hard to realise because OFBiz exposes objects, like 
> attributes from the Servlet scopes. So in the meantime preventing Freemarker 
> interpolation in fields is a pragmatic solution.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to