You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/07/29 15:59:29 UTC
[ofbiz-framework] branch release17.12 updated: Fixed:
IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 6271d22 Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
6271d22 is described below
commit 6271d220b6ae726ec0d788efb5b315315982b6c2
Author: Nicolas Malin <ni...@nereide.fr>
AuthorDate: Wed Jul 28 14:32:36 2021 +0200
Fixed: IndexOutOfBoundsException on Entity Import (OFBIZ-12273)
Backport e4919d16ca33face162defb0e3a07373a8f9f374 from trunk
Removes the localhost (and 127.0.0.1) OOTB.
Allows to use it through a "multi-property" (list) in security.properties.
Conflict handled by hand in security.properties
---
.../java/org/apache/ofbiz/base/util/UtilHttp.java | 37 ++++++++++++++++++----
framework/security/config/security.properties | 5 +++
2 files changed, 35 insertions(+), 7 deletions(-)
diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index bee720f..2de6a6a 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -397,20 +397,20 @@ public final class UtilHttp {
}
public static Map<String, Object> canonicalizeParameterMap(Map<String, Object> paramMap) {
- for (Map.Entry<String, Object> paramEntry: paramMap.entrySet()) {
+ for (Map.Entry<String, Object> paramEntry : paramMap.entrySet()) {
if (paramEntry.getValue() instanceof String) {
String paramEntries = (String) paramEntry.getValue();
String[] stringValues = paramEntries.split(" ");
String params = "";
// Handles textareas, see OFBIZ-12249
- if (stringValues.length > 0) {
+ if (stringValues.length > 0 && !paramEntry.getKey().equals("DUMMYPAGE")) {
for (String s : stringValues) {
// if the string contains only an URL beginning by http or ftp => no change to keep special chars
if (UtilValidate.isValidUrl(s) && (s.indexOf("://") == 4 || s.indexOf("://") == 3)) {
- params = params + s + " " ;
+ params = params + s + " ";
} else if (UtilValidate.isUrl(s) && !s.isEmpty()) {
// if the string contains not only an URL => concatenate possible canonicalized before and after, w/o changing the URL
- String url = extractUrls(s).get(0); // THere should be only 1 URL in a block, makes no sense else
+ String url = extractUrls(s).get(0); // There should be only 1 URL in a block, makes no sense else
int start = s.indexOf(url);
String after = (String) s.subSequence(start + url.length(), s.length());
params = params + canonicalizeParameter((String) s.subSequence(0, start)) + url + canonicalizeParameter(after) + " ";
@@ -1722,11 +1722,34 @@ public final class UtilHttp {
"([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)*)*" +
"(#([-\\w~!$+|.,*:=]|%[a-f\\d]{2})*)?\\b");
- java.util.regex.Matcher matcher = pattern.matcher(input);
- while (matcher.find()) {
- result.add(matcher.group());
+ List<String> allowedProtocols = getAllowedProtocols();
+ for (String protocol : allowedProtocols) {
+ if (input.contains(protocol)) {
+ result.add(input);
+ }
+ }
+
+ if (result.isEmpty()) {
+ java.util.regex.Matcher matcher = pattern.matcher(input);
+ while (matcher.find()) {
+ result.add(matcher.group());
+ }
}
return result;
}
+
+ private static List<String> getAllowedProtocols() {
+ List<String> allowedProtocolList = new LinkedList<>();
+ allowedProtocolList.add("component://");
+ String allowedProtocols = UtilProperties.getPropertyValue("security", "allowedProtocols");
+ if (UtilValidate.isNotEmpty(allowedProtocols)) {
+ List<String> allowedProtocolsList = StringUtil.split(allowedProtocols, ",");
+ for (String protocol : allowedProtocolsList) {
+ allowedProtocolList.add(protocol);
+ }
+ }
+ return allowedProtocolList;
+ }
+
}
diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 98f3a23..c19ccc6 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -178,3 +178,8 @@ templateClassResolver=
#-- people may like to allow more than what is allowed OOTB
#-- As it name says, allowAllUploads opens all possibilities
allowAllUploads=
+
+#-- If you need to use localhost or 127.0.0.1 in textareas URLs then you can uncomment the allowedProtocols property, here given as an example
+#-- You may also put other protocols you want to use, instead or with those
+allowedProtocols=localhost,127.0.0.1
+