[
https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17521669#comment-17521669
]
ASF subversion and git services commented on OFBIZ-12594:
---------------------------------------------------------
Commit 829e1ca535c3ffae6e5658360b083dd0d316fc78 in ofbiz-plugins's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=829e1ca53 ]
Fixed: Test run was unsuccessful because of failing solr tests (OFBIZ-12595)
The previous commit for OFBIZ-12594 was only working on Windows. On *nix OSs
there is no way to reliably get "--test" String from java.class.path property.
Also the previous fix was brittle because relying only on 1 space separating
words.
This fix puts in the SolrDispatchFilter system property at the beginning of the
4 Solr tests and removes it at end of them. That presence can reliably be tested
in ControlFilter that is called before SolrDispatchFilter. It allows to bypass
SecurityUtil::containsFreemarkerInterpolation that would else change the
parameters content type that must be application/x-www-form-urlencoded.
content
Thanks: Tom Pietsch for report and Mart Naum for confirmation
Conflicts handled by hand
> Prevent Freemarker interpolation in fields
> ------------------------------------------
>
> Key: OFBIZ-12594
> URL: https://issues.apache.org/jira/browse/OFBIZ-12594
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS, ALL PLUGINS
> Affects Versions: 18.12.06, 22.01.01
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.06, 22.01.01
>
>
> OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker
> exploits. But it's hard to realise because OFBiz exposes objects, like
> attributes from the Servlet scopes. So in the meantime preventing Freemarker
> interpolation in fields is a pragmatic solution.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
