You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mb...@apache.org on 2022/07/21 13:15:43 UTC
[ofbiz-framework] branch release22.01 updated: Improved: Make loading of data containing urls configurable (OFBIZ-12670)
This is an automated email from the ASF dual-hosted git repository.
mbrohl pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release22.01 by this push:
new 0b36f12327 Improved: Make loading of data containing urls configurable (OFBIZ-12670)
0b36f12327 is described below
commit 0b36f12327a6afcbdf8840d9e35a167c911b0173
Author: Michael Brohl <mi...@ecomify.de>
AuthorDate: Tue Jul 19 13:34:58 2022 +0200
Improved: Make loading of data containing urls configurable
(OFBIZ-12670)
Introduces a SystemProperty security/security.datafile.loadurls.enable
which can be set to true to allow loading of urls in the XML import.
---
framework/webtools/config/WebtoolsUiLabels.xml | 4 ++++
.../main/java/org/apache/ofbiz/webtools/WebToolsServices.java | 9 ++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/framework/webtools/config/WebtoolsUiLabels.xml b/framework/webtools/config/WebtoolsUiLabels.xml
index 92f8c28b06..9cf9d79d21 100644
--- a/framework/webtools/config/WebtoolsUiLabels.xml
+++ b/framework/webtools/config/WebtoolsUiLabels.xml
@@ -2125,6 +2125,10 @@
<value xml:lang="zh">错误:读取文件名 ${filename}:${errorString}</value>
<value xml:lang="zh-TW">錯誤:讀取檔案名 ${filename}:${errorString}</value>
</property>
+ <property key="WebtoolsErrorDatafileLoadUrlNotEnabled">
+ <value xml:lang="en">ERROR: For security reason HTTP URLs are not accepted, see OFBIZ-12304. Rather load your data from a file or set SystemProperty security.datafile.loadurls.enable = true</value>
+ <value xml:lang="de">FEHLER: Aus Sicherheitsgründen wird das Laden von HTTP Urls nicht erlaubt. Laden Sie die Daten über eine Datei oder setzen Sie die SystemProperty security.datafile.loadurls.enable = true.</value>
+ </property>
<property key="WebtoolsErrorReadingTemplateFile">
<value xml:lang="en">ERROR: reading template file ${filename}: ${errorString}</value>
<value xml:lang="fr">ERREUR : lors de la lecture du fichier modèle ${filename}, une exception c'est levée (${errorString})</value>
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index c21169a3b5..dd99fd6b62 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -84,6 +84,7 @@ import org.apache.ofbiz.entity.util.EntityDataLoader;
import org.apache.ofbiz.entity.util.EntityListIterator;
import org.apache.ofbiz.entity.util.EntityQuery;
import org.apache.ofbiz.entity.util.EntitySaxReader;
+import org.apache.ofbiz.entity.util.EntityUtilProperties;
import org.apache.ofbiz.entityext.EntityGroupUtil;
import org.apache.ofbiz.security.Security;
import org.apache.ofbiz.service.DispatchContext;
@@ -108,6 +109,7 @@ public class WebToolsServices {
public static Map<String, Object> entityImport(DispatchContext dctx, Map<String, ? extends Object> context) {
GenericValue userLogin = (GenericValue) context.get("userLogin");
LocalDispatcher dispatcher = dctx.getDispatcher();
+ Delegator delegator = dctx.getDelegator();
Locale locale = (Locale) context.get("locale");
List<String> messages = new LinkedList<>();
@@ -145,10 +147,11 @@ public class WebToolsServices {
// #############################
// FM Template
// #############################
- if (UtilValidate.urlInString(fulltext)) {
+ if (UtilValidate.urlInString(fulltext)
+ && !"true".equals(EntityUtilProperties.getPropertyValue("security", "security.datafile.loadurls.enable", "false", delegator))) {
Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
- Debug.logInfo("Rather load your data from a file", MODULE);
- return null;
+ Debug.logInfo("Rather load your data from a file or set SystemProperty security.datafile.loadurls.enable = true", MODULE);
+ return ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE, "WebtoolsErrorDatafileLoadUrlNotEnabled", locale));
}
if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) {
File fmFile = new File(fmfilename);