[jira] [Comment Edited] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14321737#comment-14321737 ] Jacques Le Roux edited comment on OFBIZ-5953 at 7/2/15 12:09 PM: - Thanks Jacopo, excellent article! I meant this one http://security.coverity.com/blog/2013/Nov/to-escape-or-not-to-escape-that-is-the-question.html suggested in OFBIz-5910 was (Author: jacques.le.roux): Thanks Jacopo, excellent article! Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow Fix For: 14.12.01, Upcoming Branch From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacopo Cappellato updated OFBIZ-5953: - Fix Version/s: Upcoming Branch 14.12.01 Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow Fix For: 14.12.01, Upcoming Branch From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Closed] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacopo Cappellato closed OFBIZ-5953. Resolution: Fixed Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14321737#comment-14321737 ] Jacques Le Roux commented on OFBIZ-5953: Thanks Jacopo, excellent article! Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[
https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14318225#comment-14318225
]
Jacopo Cappellato commented on OFBIZ-5953:
--
I have spent some time digging into the source code of HTMLEntityCodec (ESAPI)
and specifically the method decodeCharacter is relevant here; see:
https://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/codecs/HTMLEntityCodec.java
As you can see, and as described by the comment:
{quote}
* Returns the decoded version of the character starting at index, or
* null if no decoding is possible.
*
* Formats all are legal both with and without semi-colon, upper/lower
case:
* #;
* #x;
* name;
{quote}
the codec recognizes the strings op and op; both as the html entity
representation of the OR symbol.
I am not sure if this is right or wrong according to the specifications but it
is definitely too strict for OFBiz because it causes problems like the one
reported here.
My next step will be that of finding and studying the source file of the old
version of ESAPI and see if the behavior changed since then; as I mentioned,
removing the HTMLEntityCodec will fix this issue but I still have to figure out
the implications of this change.
Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
--
Key: OFBIZ-5953
URL: https://issues.apache.org/jira/browse/OFBIZ-5953
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: Trunk
Reporter: Christian Carlow
From Adrian on ML:
When I navigate to
https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many
exceptions are thrown and the screen fails to render. I tried changing
WidgetWorker.java line 74 to localRequestName =
UtilCodec.canonicalize(localRequestName, false, false); which fixed the
exceptions, but the generated link is wrong. I don't know how to fix it.
Errors related to this class are also thrown at
accounting/control/invoiceOverview. Setting a breakpoint at line 167 of
UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL
from
EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to
EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to
EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010.
Not sure if the error is in class UtilCode or HTMLEntityCodec.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14318289#comment-14318289 ] Gareth Carter commented on OFBIZ-5953: -- Its more about context. Why use HTMLEntityCodec to decode urls? If UtilCodec is used in other places for other purposes than it will need to split off Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14318292#comment-14318292 ] Jacopo Cappellato commented on OFBIZ-5953: -- Yes, this is what I am trying to do; I would like to create two separate mechanisms, one to sanitize urls and other html contents. Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[
https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14270760#comment-14270760
]
Jacopo Cappellato commented on OFBIZ-5953:
--
Thanks for the report Christian and Adrian.
As a temporary workaround we can disable the HTMLEntityCodec wight he following
patch:
{code}
Index: framework/base/src/org/ofbiz/base/util/UtilCodec.java
===
--- framework/base/src/org/ofbiz/base/util/UtilCodec.java (revision
1650452)
+++ framework/base/src/org/ofbiz/base/util/UtilCodec.java (working copy)
@@ -43,7 +43,7 @@
private static final ListCodec codecs;
static {
ListCodec tmpCodecs = new ArrayListCodec();
-tmpCodecs.add(new HTMLEntityCodec());
+//tmpCodecs.add(new HTMLEntityCodec());
tmpCodecs.add(new PercentCodec());
codecs = Collections.unmodifiableList(tmpCodecs);
}
{code}
This will fix the screens.
I am digging into it now.
Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
--
Key: OFBIZ-5953
URL: https://issues.apache.org/jira/browse/OFBIZ-5953
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: Trunk
Reporter: Christian Carlow
From Adrian on ML:
When I navigate to
https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many
exceptions are thrown and the screen fails to render. I tried changing
WidgetWorker.java line 74 to localRequestName =
UtilCodec.canonicalize(localRequestName, false, false); which fixed the
exceptions, but the generated link is wrong. I don't know how to fix it.
Errors related to this class are also thrown at
accounting/control/invoiceOverview. Setting a breakpoint at line 167 of
UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL
from
EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to
EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to
EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010.
Not sure if the error is in class UtilCode or HTMLEntityCodec.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
[ https://issues.apache.org/jira/browse/OFBIZ-5953?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14270784#comment-14270784 ] Gareth Carter commented on OFBIZ-5953: -- FYI, duplicate of OFBIZ-5910 Problem with new UtilCodec code caused by HTMLEntityCodec.decode() -- Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (OFBIZ-5953) Problem with new UtilCodec code caused by HTMLEntityCodec.decode()
Christian Carlow created OFBIZ-5953: --- Summary: Problem with new UtilCodec code caused by HTMLEntityCodec.decode() Key: OFBIZ-5953 URL: https://issues.apache.org/jira/browse/OFBIZ-5953 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: Trunk Reporter: Christian Carlow From Adrian on ML: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. Errors related to this class are also thrown at accounting/control/invoiceOverview. Setting a breakpoint at line 167 of UtilCodec.java shows that 2 HTMLEntityCodec.decode calls transforms the URL from EditAcctgTrans?acctgTransId=10070amp;organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070organizationPartyId=10010 to EditAcctgTrans?acctgTransId=10070∨ganizationPartyId=10010. Not sure if the error is in class UtilCode or HTMLEntityCodec. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
Re: Problem with new UtilCodec code
Feel free to register a JIRA issue. Regards, Pierre Smits *ORRTIZ.COM http://www.orrtiz.com* Services Solutions for Cloud- Based Manufacturing, Professional Services and Retail Trade http://www.orrtiz.com On Thu, Jan 8, 2015 at 8:56 PM, Adrian Crum adrian.c...@sandglass-software.com wrote: When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. -- Adrian Crum Sandglass Software www.sandglass-software.com
Problem with new UtilCodec code
When I navigate to https://localhost:8443/accounting/control/paymentOverview?paymentId=8004 many exceptions are thrown and the screen fails to render. I tried changing WidgetWorker.java line 74 to localRequestName = UtilCodec.canonicalize(localRequestName, false, false); which fixed the exceptions, but the generated link is wrong. I don't know how to fix it. -- Adrian Crum Sandglass Software www.sandglass-software.com
