[
https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518055#comment-17518055
]
ASF subversion and git services commented on OFBIZ-12594:
---------------------------------------------------------
Commit b5370cbf51f9442b70ff61ed288fd442ff657ef9 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b5370cbf51 ]
Fixed: Prevent Freemarker interpolation in fields (OFBIZ-12594)
I did not catch an issue put in by this feature because BuildBot is not running
for few days (see INFRA-23076) and i don't always run tests locally (relying on
BuildBot and GH actions don't run tests).
This is the error Solr tests throw else:
<<Unfortunately, the stream was empty / not available. This may be caused by
another servlet filter calling ServletRequest.getParameter*() before
SolrDispatchFilter>>
Got an issue with previous commit (I guess confusion with 22.01)
> Prevent Freemarker interpolation in fields
> ------------------------------------------
>
> Key: OFBIZ-12594
> URL: https://issues.apache.org/jira/browse/OFBIZ-12594
> Project: OFBiz
> Issue Type: Improvement
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: 18.12.06, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
>
> OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker
> exploits. But it's hard to realise because OFBiz exposes objects, like
> attributes from the Servlet scopes. So in the meantime preventing Freemarker
> interpolation in fields is a pragmatic solution.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
