[ https://issues.apache.org/jira/browse/OFBIZ-12594?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17521671#comment-17521671 ]
ASF subversion and git services commented on OFBIZ-12594: --------------------------------------------------------- Commit 656b9c20c78b4354e864ce32c81b65879ab9ace4 in ofbiz-plugins's branch refs/heads/release22.01 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=656b9c20c ] Fixed: Test run was unsuccessful because of failing solr tests (OFBIZ-12595) The previous commit for OFBIZ-12594 was only working on Windows. On *nix OSs there is no way to reliably get "--test" String from java.class.path property. Also the previous fix was brittle because relying only on 1 space separating words. This fix puts in the SolrDispatchFilter system property at the beginning of the 4 Solr tests and removes it at end of them. That presence can reliably be tested in ControlFilter that is called before SolrDispatchFilter. It allows to bypass SecurityUtil::containsFreemarkerInterpolation that would else change the parameters content type that must be application/x-www-form-urlencoded. content Thanks: Tom Pietsch for report and Mart Naum for confirmation > Prevent Freemarker interpolation in fields > ------------------------------------------ > > Key: OFBIZ-12594 > URL: https://issues.apache.org/jira/browse/OFBIZ-12594 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS, ALL PLUGINS > Affects Versions: 18.12.06, 22.01.01 > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Priority: Major > Fix For: 18.12.06, 22.01.01 > > > OFBIZ-12587 is a definitive solution to prevent any kind of Freemarker > exploits. But it's hard to realise because OFBiz exposes objects, like > attributes from the Servlet scopes. So in the meantime preventing Freemarker > interpolation in fields is a pragmatic solution. -- This message was sent by Atlassian Jira (v8.20.1#820001)