[
https://issues.apache.org/jira/browse/OFBIZ-13092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17914038#comment-17914038
]
ASF subversion and git services commented on OFBIZ-13092:
---------------------------------------------------------
Commit bb743ddff1fddbbea94c1415159f0d4d5013d592 in ofbiz-framework's branch
refs/heads/release24.09 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=bb743ddff1 ]
Fixed: [SECURITY] (CVE-2024-36104) Path traversal leading to RCE (OFBIZ-13092)
Adds a StringUtil::splitWithStringSeparator. I crossed issue using
StringUtil::split it's said that <<delim the delimiter character(s)>> with a (s)
But it does not work as expected with several character(s).
In ControlFilter::doFilter uses splitWithStringSeparator instead of split.
Uses decoded requestUri everywhere, and to split query string, though it worked,
"&" rather than "Y&".
Also put all the privates methods used by doFilter just above it to clarify use.
Conflict handled by hand in StringUtil.java
> [SECURITY] (CVE-2024-36104) Path traversal leading to RCE
> ---------------------------------------------------------
>
> Key: OFBIZ-13092
> URL: https://issues.apache.org/jira/browse/OFBIZ-13092
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webapp
> Affects Versions: 18.12.14
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 18.12.18
>
> Attachments: image-2025-01-13-16-10-01-639.png,
> image-2025-01-13-16-18-46-537.png
>
>
> Better avoid special encoded characters sequences
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
