[
https://issues.apache.org/jira/browse/OFBIZ-13092?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17914362#comment-17914362
]
Jacques Le Roux edited comment on OFBIZ-13092 at 1/20/25 11:07 AM:
-------------------------------------------------------------------
There is one last thing I want to say here.
It's about URI::getQuery and my understanding of the words escaping and
encoding in Java. In my mind escaping is related to JavaScript changes in UI
and in HTTP like escaping ampersand (ie "&amp"). When encoding is about
percent-encoding. But it's still confusing, and not only in my mind.
At [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html#decode] we have
{quote}The getUserInfo, getPath, getQuery, getFragment, getAuthority, and
getSchemeSpecificPart methods decode any +*escaped*+ octets in their
corresponding components. The strings returned by these methods may contain
both other characters and illegal characters, and will not contain any escaped
octets.
{quote}
I read it too fast so I thought that I could use it to +*unescape*+ a query
where ampersand is used. I was wrong and that leads me to some troubles.
More information at
[https://stackoverflow.com/questions/48776437/uri-getrawquery-vs-getquery]
There follow the link
[https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8214423] and read the
comment which is more clear.
Hope that can help someone one day.
was (Author: jacques.le.roux):
There is one last thing I want to say here.
It's about URI::getQuery and my understanding of the words escaping and
encoding in Java. In my mind
At [https://docs.oracle.com/javase/8/docs/api/java/net/URI.html#decode] we have
{quote}The getUserInfo, getPath, getQuery, getFragment, getAuthority, and
getSchemeSpecificPart methods decode any +*escaped*+ octets in their
corresponding components. The strings returned by these methods may contain
both other characters and illegal characters, and will not contain any escaped
octets.
{quote}
I read it too fast so I thought that I could use it to +*unescape*+ a query
where ampersand is used. I was wrong and that leads me to some troubles.
More information at
[https://stackoverflow.com/questions/48776437/uri-getrawquery-vs-getquery]
There follow the link
[https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8214423] and read the
comment which is more clear.
Hope that can help someone one day.
> [SECURITY] (CVE-2024-36104) Path traversal leading to RCE
> ---------------------------------------------------------
>
> Key: OFBIZ-13092
> URL: https://issues.apache.org/jira/browse/OFBIZ-13092
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webapp
> Affects Versions: 18.12.14
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 24.09.01, 18.12.18
>
> Attachments: image-2025-01-13-16-10-01-639.png,
> image-2025-01-13-16-18-46-537.png
>
>
> Better avoid special encoded characters sequences
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
