You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2016/09/07 07:42:46 UTC
svn commit: r1759555 -
/ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
Author: jleroux
Date: Wed Sep 7 07:42:45 2016
New Revision: 1759555
URL: http://svn.apache.org/viewvc?rev=1759555&view=rev
Log:
Fixes a vulnerability in the form widget sort-order element
By manipulating the UL parameter externalLoginKey it is possible to pass valid Freemarker directives to the Template Engine that are reflected on the webpage
With Freemarker it is possible to create and use Java classes that implement the TemplateModel, including the freemarker.template.utility.Execute class
An attacker can pass arbitary commands via this class, which are executed on the server.
This fixes it using 2 redundant mechanisms (better safe than sorry):
1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
Modified:
ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
Modified: ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java?rev=1759555&r1=1759554&r2=1759555&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java (original)
+++ ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java Wed Sep 7 07:42:45 2016
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.Reader;
import java.io.StringReader;
import java.io.StringWriter;
+import java.net.URLEncoder;
import java.rmi.server.UID;
import java.sql.Timestamp;
import java.util.HashSet;
@@ -2866,6 +2867,7 @@ public final class MacroFormRenderer imp
String newQueryString = sb.toString();
String urlPath = UtilHttp.removeQueryStringFromTarget(paginateTarget);
linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(newQueryString));
+ linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
}
StringWriter sr = new StringWriter();
sr.append("<@renderSortField ");
@@ -2873,7 +2875,7 @@ public final class MacroFormRenderer imp
sr.append(sortFieldStyle);
sr.append("\" title=\"");
sr.append(titleText);
- sr.append("\" linkUrl=\"");
+ sr.append("\" linkUrl=r\"");
sr.append(linkUrl);
sr.append("\" ajaxEnabled=");
sr.append(Boolean.toString(ajaxEnabled));