Nicolas Malin created OFBIZ-13197:
-------------------------------------
Summary: Improve validation method on service parameter
Key: OFBIZ-13197
URL: https://issues.apache.org/jira/browse/OFBIZ-13197
Project: OFBiz
Issue Type: Improvement
Components: framework/service
Reporter: Nicolas Malin
Since the Remote Code Execution (File Upload) Vulnerability fixed by
OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a
service definition 'createAnonFile' to control the security.
This solution works but break the dependency between each component and the
mandatory for a service to protect it himself.
Normally a service can secure each parameter with element *type-validate*
unfortunately, this element can call only method with one parameter. In your
case the method to validate a file upload need to have the delegator.
To solve it, we improve the element *type-validate* to analyze the method call
for validate the attribute value and pass the delegator or dispatcher if it
detected.
Like this we can move the code present on GroovyBaseScript to the service
definition and offer the possibility to create more complex validate method for
custom site.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
