You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by mb...@apache.org on 2022/07/21 13:15:04 UTC

[ofbiz-framework] branch trunk updated: Improved: Make loading of data containing urls configurable (OFBIZ-12670)

This is an automated email from the ASF dual-hosted git repository.

mbrohl pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 20ccb4dcfd Improved: Make loading of data containing urls configurable (OFBIZ-12670)
20ccb4dcfd is described below

commit 20ccb4dcfd79ab2fdbf8844ebd3be523e30e906f
Author: Michael Brohl <mi...@ecomify.de>
AuthorDate: Tue Jul 19 12:57:58 2022 +0200

    Improved: Make loading of data containing urls configurable
    (OFBIZ-12670)
    
    Introduces a SystemProperty security#security.datafile.loadurls.enable
    which can be set to true to allow loading of urls in the XML import.
---
 framework/webtools/config/WebtoolsUiLabels.xml                   | 4 ++++
 .../main/java/org/apache/ofbiz/webtools/WebToolsServices.java    | 9 ++++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/framework/webtools/config/WebtoolsUiLabels.xml b/framework/webtools/config/WebtoolsUiLabels.xml
index 92f8c28b06..9cf9d79d21 100644
--- a/framework/webtools/config/WebtoolsUiLabels.xml
+++ b/framework/webtools/config/WebtoolsUiLabels.xml
@@ -2125,6 +2125,10 @@
         <value xml:lang="zh">错误:读取文件名 ${filename}:${errorString}</value>
         <value xml:lang="zh-TW">錯誤:讀取檔案名 ${filename}:${errorString}</value>
     </property>
+    <property key="WebtoolsErrorDatafileLoadUrlNotEnabled">
+        <value xml:lang="en">ERROR: For security reason HTTP URLs are not accepted, see OFBIZ-12304. Rather load your data from a file or set SystemProperty security.datafile.loadurls.enable = true</value>
+        <value xml:lang="de">FEHLER: Aus Sicherheitsgründen wird das Laden von HTTP Urls nicht erlaubt. Laden Sie die Daten über eine Datei oder setzen Sie die SystemProperty security.datafile.loadurls.enable = true.</value>
+    </property>
     <property key="WebtoolsErrorReadingTemplateFile">
         <value xml:lang="en">ERROR: reading template file ${filename}: ${errorString}</value>
         <value xml:lang="fr">ERREUR : lors de la lecture du fichier modèle ${filename}, une exception c'est levée (${errorString})</value>
diff --git a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
index c21169a3b5..dd99fd6b62 100644
--- a/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
+++ b/framework/webtools/src/main/java/org/apache/ofbiz/webtools/WebToolsServices.java
@@ -84,6 +84,7 @@ import org.apache.ofbiz.entity.util.EntityDataLoader;
 import org.apache.ofbiz.entity.util.EntityListIterator;
 import org.apache.ofbiz.entity.util.EntityQuery;
 import org.apache.ofbiz.entity.util.EntitySaxReader;
+import org.apache.ofbiz.entity.util.EntityUtilProperties;
 import org.apache.ofbiz.entityext.EntityGroupUtil;
 import org.apache.ofbiz.security.Security;
 import org.apache.ofbiz.service.DispatchContext;
@@ -108,6 +109,7 @@ public class WebToolsServices {
     public static Map<String, Object> entityImport(DispatchContext dctx, Map<String, ? extends Object> context) {
         GenericValue userLogin = (GenericValue) context.get("userLogin");
         LocalDispatcher dispatcher = dctx.getDispatcher();
+        Delegator delegator = dctx.getDelegator();
         Locale locale = (Locale) context.get("locale");
         List<String> messages = new LinkedList<>();
 
@@ -145,10 +147,11 @@ public class WebToolsServices {
         // #############################
         // FM Template
         // #############################
-        if (UtilValidate.urlInString(fulltext)) {
+        if (UtilValidate.urlInString(fulltext)
+                && !"true".equals(EntityUtilProperties.getPropertyValue("security", "security.datafile.loadurls.enable", "false", delegator))) {
             Debug.logError("For security reason HTTP URLs are not accepted, see OFBIZ-12304", MODULE);
-            Debug.logInfo("Rather load your data from a file", MODULE);
-            return null;
+            Debug.logInfo("Rather load your data from a file or set SystemProperty security.datafile.loadurls.enable = true", MODULE);
+            return ServiceUtil.returnError(UtilProperties.getMessage(RESOURCE, "WebtoolsErrorDatafileLoadUrlNotEnabled", locale));
         }
         if (UtilValidate.isNotEmpty(fmfilename) && (UtilValidate.isNotEmpty(fulltext) || url != null)) {
             File fmFile = new File(fmfilename);