[jira] [Commented] (OFBIZ-13162) [SECURITY] (CVE-2024-48962) Enhance Parameter Encoding in MacroMenuRenderer

ASF subversion and git services (Jira) Mon, 25 Nov 2024 23:16:06 -0800


    [ 
https://issues.apache.org/jira/browse/OFBIZ-13162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17901106#comment-17901106
 ]


ASF subversion and git services commented on OFBIZ-13162:
---------------------------------------------------------

Commit eee6ccb71b40637b4055ed507f81502479091051 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=eee6ccb71b ]

Improved: Prevent URL parameters manipulation (OFBIZ-13147)

This follows Leïla comment. It simplifies the SecuredUpload::isValidEncodedText
content and renames it isNotValidEncodedText

Also 3 new deniedWebShellTokens are added, some more to come

To quickly test on trunk demo the fix from OFBIZ-13162 is temporarily reverted


>  [SECURITY] (CVE-2024-48962) Enhance Parameter Encoding in MacroMenuRenderer
> ----------------------------------------------------------------------------
>
>                 Key: OFBIZ-13162
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13162
>             Project: OFBiz
>          Issue Type: Sub-task
>            Reporter: Deepak Dixit
>            Assignee: Deepak Dixit
>            Priority: Major
>             Fix For: 18.12.17
>
>
> {{MacroMenuRenderer}} should utilize {{UtilCodec.SimpleEncoder}} to encode 
> parameter values when available.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (OFBIZ-13162) [SECURITY] (CVE-2024-48962) Enhance Parameter Encoding in MacroMenuRenderer

Reply via email to