[
https://issues.apache.org/jira/browse/OFBIZ-13197?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910308#comment-17910308
]
ASF subversion and git services commented on OFBIZ-13197:
---------------------------------------------------------
Commit b8ab904b4c84acc9af36522cd6ab6c5ac9622932 in ofbiz-framework's branch
refs/heads/trunk from Nicolas Malin
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b8ab904b4c ]
Improved: Improve validation method on service parameter (OFBIZ-13197) (#869)
Since the Remote Code Execution (File Upload) Vulnerability fixed by
OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a
service definition 'createAnonFile' to control the security.
This solution works but break the dependency between each component and the
mandatory for a service to protect it himself.
Normally a service can secure each parameter with element type-validate
unfortunately, this element can call only method with one parameter. In your
case the method to validate a file upload need to have the delegator.
To solve it, we improve the element type-validate to analyze the method call
for validate the attribute value and pass the delegator or dispatcher if it
detected.
Like this we can move the code present on GroovyBaseScript to the service
definition and offer the possibility to create more complex validate method for
custom site.
> Improve validation method on service parameter
> ----------------------------------------------
>
> Key: OFBIZ-13197
> URL: https://issues.apache.org/jira/browse/OFBIZ-13197
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
> Reporter: Nicolas Malin
> Priority: Major
>
> Since the Remote Code Execution (File Upload) Vulnerability fixed by
> OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a
> service definition 'createAnonFile' to control the security.
> This solution works but break the dependency between each component and the
> mandatory for a service to protect it himself.
> Normally a service can secure each parameter with element *type-validate*
> unfortunately, this element can call only method with one parameter. In your
> case the method to validate a file upload need to have the delegator.
> To solve it, we improve the element *type-validate* to analyze the method
> call for validate the attribute value and pass the delegator or dispatcher if
> it detected.
> Like this we can move the code present on GroovyBaseScript to the service
> definition and offer the possibility to create more complex validate method
> for custom site.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
