You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/09/07 07:42:46 UTC

svn commit: r1759555 - /ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java

Author: jleroux
Date: Wed Sep  7 07:42:45 2016
New Revision: 1759555

URL: http://svn.apache.org/viewvc?rev=1759555&view=rev
Log:
Fixes a vulnerability in the form widget sort-order element 
By manipulating the UL parameter externalLoginKey it is possible to pass  valid Freemarker directives to the Template Engine that are reflected on the webpage
With Freemarker it is possible to create and use Java classes that implement the TemplateModel, including the freemarker.template.utility.Execute class
An attacker can pass arbitary commands via this class, which are executed on the server. 

This fixes it using 2 redundant mechanisms (better safe than sorry):
1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");

Modified:
    ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java

Modified: ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java?rev=1759555&r1=1759554&r2=1759555&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java (original)
+++ ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java Wed Sep  7 07:42:45 2016
@@ -22,6 +22,7 @@ import java.io.IOException;
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.StringWriter;
+import java.net.URLEncoder;
 import java.rmi.server.UID;
 import java.sql.Timestamp;
 import java.util.HashSet;
@@ -2866,6 +2867,7 @@ public final class MacroFormRenderer imp
             String newQueryString = sb.toString();
             String urlPath = UtilHttp.removeQueryStringFromTarget(paginateTarget);
             linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(newQueryString));
+            linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
         }
         StringWriter sr = new StringWriter();
         sr.append("<@renderSortField ");
@@ -2873,7 +2875,7 @@ public final class MacroFormRenderer imp
         sr.append(sortFieldStyle);
         sr.append("\" title=\"");
         sr.append(titleText);
-        sr.append("\" linkUrl=\"");
+        sr.append("\" linkUrl=r\"");
         sr.append(linkUrl);
         sr.append("\" ajaxEnabled=");
         sr.append(Boolean.toString(ajaxEnabled));