You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Ingo Wolfmayr (Jira)" <ji...@apache.org> on 2022/04/20 08:12:00 UTC

[jira] [Created] (OFBIZ-12602) XML Import fails due to security check

Ingo Wolfmayr created OFBIZ-12602:
-------------------------------------

             Summary: XML Import fails due to security check
                 Key: OFBIZ-12602
                 URL: https://issues.apache.org/jira/browse/OFBIZ-12602
             Project: OFBiz
          Issue Type: Bug
    Affects Versions: Upcoming Branch
            Reporter: Ingo Wolfmayr


When importing an entity like

 
{code:java}
<SystemProperty systemResourceId="catalog" 
systemPropertyId="image.server.path" systemPropertyValue="${sys:getProperty("ofbiz.home")}/themes/common-theme/webapp/images/${tenantId}" description="Image upload path on the server." lastUpdatedStamp="2022-04-14 12:00:12.597" lastUpdatedTxStamp="2022-04-14 12:00:12.596" createdStamp="2022-04-14 12:00:12.597" createdTxStamp="2022-04-14 12:00:12.596"/>{code}
 

I get the following info message.
{code:java}
HTTP Status 403 – Forbidden
Type Status Report
Message Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields!
Description The server understood the request but refuses to authorize it.
{code}
I do have the same problem when I try to update the value via entity mainainance. Importing an XML file works.

Would it make sense to bypass the check if the user has the appropriate permissions?

 

 



--
This message was sent by Atlassian Jira
(v8.20.7#820007)