[
https://issues.apache.org/jira/browse/OFBIZ-13092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913768#comment-17913768
]
ASF subversion and git services commented on OFBIZ-13092:
---------------------------------------------------------
Commit 52bf8b30a1ee8d78b457fe6b89cc79c7c56815ff in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=52bf8b30a1 ]
Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFBIZ-13092)
I've got a strange issue that seems caused by one of this Jira modification:
On demo environment, when clicking on several sort field links, a
'For security reason this URL is not accepted' error is thrown.
For instance, if you perform a search on find party screen and try to sort by
partyId, createdDate or else, you will get this message.
I tried to reproduce it in a local trunk environment without success : the
uRIFiltered and the initialURI are the same.
jleroux: but indeed when the same is done on a domain site, for instance
official OFBiz demos, it's reproducible in all demo instances.
This fixes it, with some more: refactoring, formatting and renaming
Thanks: Leïla for report and details.
Conflicts handled by hand (a lot) in ControlFilter.java
> [SECURITY] (CVE-2024-36104) Path traversal leading to RCE
> ---------------------------------------------------------
>
> Key: OFBIZ-13092
> URL: https://issues.apache.org/jira/browse/OFBIZ-13092
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webapp
> Affects Versions: 18.12.14
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.18
>
> Attachments: image-2025-01-13-16-10-01-639.png,
> image-2025-01-13-16-18-46-537.png
>
>
> Better avoid special encoded characters sequences
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
