You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/04/20 08:31:00 UTC

[jira] [Assigned] (OFBIZ-12602) XML Import fails due to security check

     [ https://issues.apache.org/jira/browse/OFBIZ-12602?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux reassigned OFBIZ-12602:
---------------------------------------

    Assignee: Jacques Le Roux

> XML Import fails due to security check
> --------------------------------------
>
>                 Key: OFBIZ-12602
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12602
>             Project: OFBiz
>          Issue Type: Bug
>    Affects Versions: Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Minor
>
> When importing an entity like
>  
> {code:java}
> <SystemProperty systemResourceId="catalog" 
> systemPropertyId="image.server.path" systemPropertyValue="${sys:getProperty("ofbiz.home")}/themes/common-theme/webapp/images/${tenantId}" description="Image upload path on the server." lastUpdatedStamp="2022-04-14 12:00:12.597" lastUpdatedTxStamp="2022-04-14 12:00:12.596" createdStamp="2022-04-14 12:00:12.597" createdTxStamp="2022-04-14 12:00:12.596"/>{code}
>  
> I get the following info message.
> {code:java}
> HTTP Status 403 – Forbidden
> Type Status Report
> Message Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields!
> Description The server understood the request but refuses to authorize it.
> {code}
> I do have the same problem when I try to update the value via entity mainainance. Importing an XML file works.
> Would it make sense to bypass the check if the user has the appropriate permissions?
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)