[
https://issues.apache.org/jira/browse/OFBIZ-13197?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nicolas Malin closed OFBIZ-13197.
---------------------------------
Resolution: Done
> Improve validation method on service parameter
> ----------------------------------------------
>
> Key: OFBIZ-13197
> URL: https://issues.apache.org/jira/browse/OFBIZ-13197
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/service
> Reporter: Nicolas Malin
> Assignee: Nicolas Malin
> Priority: Major
>
> Since the Remote Code Execution (File Upload) Vulnerability fixed by
> OFBIZ-11948, the class GroovyBaseScript.groovy contains a dependency with a
> service definition 'createAnonFile' to control the security.
> This solution works but break the dependency between each component and the
> mandatory for a service to protect it himself.
> Normally a service can secure each parameter with element *type-validate*
> unfortunately, this element can call only method with one parameter. In your
> case the method to validate a file upload need to have the delegator.
> To solve it, we improve the element *type-validate* to analyze the method
> call for validate the attribute value and pass the delegator or dispatcher if
> it detected.
> Like this we can move the code present on GroovyBaseScript to the service
> definition and offer the possibility to create more complex validate method
> for custom site.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
