details: https://code.openbravo.com/erp/devel/pi/rev/f2ee792f14ff
changeset: 32309:f2ee792f14ff
user: Armaignac <collazoandy4 <at> gmail.com>
date: Wed Jun 14 11:47:03 2017 -0400
summary: Fixes issue 36239: Security problem in Create Budget Reports in
Excel report
SQL injection security problem in Create Budget Reports in Excel report.
A UUID filter was added to check the params cAccountId and inpcAcctSchemaId.
diffstat:
src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java | 24
+++++----
1 files changed, 14 insertions(+), 10 deletions(-)
diffs (55 lines):
diff -r 3640713e1a91 -r f2ee792f14ff
src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
--- a/src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
Wed Jun 14 08:56:18 2017 +0200
+++ b/src/org/openbravo/erpCommon/ad_reports/ReportBudgetGenerateExcel.java
Wed Jun 14 11:47:03 2017 -0400
@@ -11,7 +11,7 @@
* under the License.
* The Original Code is Openbravo ERP.
* The Initial Developer of the Original Code is Openbravo SLU
- * All portions are Copyright (C) 2001-2015 Openbravo SLU
+ * All portions are Copyright (C) 2001-2017 Openbravo SLU
* All Rights Reserved.
* Contributor(s): ______________________________________.
************************************************************************
@@ -46,11 +46,10 @@
VariablesSecureApp vars = new VariablesSecureApp(request);
if (vars.commandIn("DEFAULT")) {
- String strcAcctSchemaId = vars.getGlobalVariable("inpcAcctSchemaId",
- "ReportGeneralLedger|cAcctSchemaId", "");
- printPageDataSheet(response, vars, strcAcctSchemaId);
- } else if (vars.commandIn("EXCEL")) {
+ printPageDataSheet(response, vars);
+ }
+ else if (vars.commandIn("EXCEL")) {
vars.removeSessionValue("ReportBudgetGenerateExcel|inpTabId");
String strBPartner = vars.getRequestInGlobalVariable("inpcBPartnerId_IN",
"ReportBudgetGenerateExcel|inpcBPartnerId_IN", IsIDFilter.instance);
@@ -79,17 +78,22 @@
String strMonth = vars.getRequestInGlobalVariable("inpMonth",
"ReportBudgetGenerateExcel|inpMonthId", IsIDFilter.instance);
String strAccount = vars.getRequestGlobalVariable("paramAccountSelect",
- "ReportBudgetGenerateExcel|cAccountId");
- String strcAcctSchemaId = vars.getStringParameter("inpcAcctSchemaId",
"");
+ "ReportBudgetGenerateExcel|cAccountId", IsIDFilter.instance);
+ String strcAcctSchemaId = vars
+ .getStringParameter("inpcAcctSchemaId", "", IsIDFilter.instance);
+
printPageDataExcel(response, vars, strBPartner, strBPGroup, strProduct,
strProdCategory,
strUser1, strUser2, strCostcenter, strSalesRegion, strCampaign,
strActivity, strProject,
strTrxOrg, strMonth, strcAcctSchemaId, strAccount);
- } else
+ }
+
+ else {
pageErrorPopUp(response);
+ }
}
- private void printPageDataSheet(HttpServletResponse response,
VariablesSecureApp vars,
- String strcAcctSchemaId) throws IOException, ServletException {
+ private void printPageDataSheet(HttpServletResponse response,
VariablesSecureApp vars)
+ throws IOException, ServletException {
if (log4j.isDebugEnabled())
log4j.debug("Output: dataSheet");
XmlDocument xmlDocument = null;
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openbravo-commits mailing list
Openbravo-commits@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openbravo-commits
