You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Ingo Wolfmayr (Jira)" <ji...@apache.org> on 2022/04/20 08:12:00 UTC
[jira] [Created] (OFBIZ-12602) XML Import fails due to security check
Ingo Wolfmayr created OFBIZ-12602:
-------------------------------------
Summary: XML Import fails due to security check
Key: OFBIZ-12602
URL: https://issues.apache.org/jira/browse/OFBIZ-12602
Project: OFBiz
Issue Type: Bug
Affects Versions: Upcoming Branch
Reporter: Ingo Wolfmayr
When importing an entity like
{code:java}
<SystemProperty systemResourceId="catalog"
systemPropertyId="image.server.path" systemPropertyValue="${sys:getProperty("ofbiz.home")}/themes/common-theme/webapp/images/${tenantId}" description="Image upload path on the server." lastUpdatedStamp="2022-04-14 12:00:12.597" lastUpdatedTxStamp="2022-04-14 12:00:12.596" createdStamp="2022-04-14 12:00:12.597" createdTxStamp="2022-04-14 12:00:12.596"/>{code}
I get the following info message.
{code:java}
HTTP Status 403 – Forbidden
Type Status Report
Message Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields!
Description The server understood the request but refuses to authorize it.
{code}
I do have the same problem when I try to update the value via entity mainainance. Importing an XML file works.
Would it make sense to bypass the check if the user has the appropriate permissions?
--
This message was sent by Atlassian Jira
(v8.20.7#820007)