You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/04/20 12:17:04 UTC

[ofbiz-framework] branch release22.01 updated: Fixed: XML Import fails due to security check (OFBIZ-12602)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release22.01 by this push:
     new aead955798 Fixed: XML Import fails due to security check (OFBIZ-12602)
aead955798 is described below

commit aead9557982bc17705e39a11a53ae21878a4b0b6
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Wed Apr 20 13:56:25 2022 +0200

    Fixed: XML Import fails due to security check (OFBIZ-12602)
    
    When importing an entity with "${" in for at least an element it's rejected
    because of the security check done to protect from Freemarker unauth attacks
    (see OFBIZ-12594).
    
    As suggested by Ingo, allowing users with appropriate permissions seems an
    usable solution. We still need to define the "appropriate permissions".
    We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add
    others later if they ever come.
    
    Thanks: Ingo Wolfmayr for report and suggestion
---
 .../java/org/apache/ofbiz/webapp/control/ControlFilter.java   | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index b0e57181a2..302df37f51 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -149,11 +149,14 @@ public class ControlFilter extends HttpFilter {
             String uriWithContext = req.getRequestURI();
             String uri = uriWithContext.substring(context.length());
 
+            GenericValue userLogin = (GenericValue) session.getAttribute("userLogin");
 
-            if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
-                    && null == System.getProperty("SolrDispatchFilter") // Allows Solr tests
-                    && SecurityUtil.containsFreemarkerInterpolation(req, resp, uri)) {
-                return;
+            if (!LoginWorker.hasBasePermission(userLogin, req)) { // Allows UEL and
+                if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
+                        && null == System.getProperty("SolrDispatchFilter") // Allows Solr tests
+                        && SecurityUtil.containsFreemarkerInterpolation(req, resp, uri)) {
+                    return;
+                }
             }
 
             // Check if the requested URI is allowed.