You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2022/04/20 12:22:00 UTC
[jira] [Closed] (OFBIZ-12602) XML Import fails due to security check
[ https://issues.apache.org/jira/browse/OFBIZ-12602?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux closed OFBIZ-12602.
-----------------------------------
Fix Version/s: 18.12.06
22.01.01
Resolution: Fixed
> XML Import fails due to security check
> --------------------------------------
>
> Key: OFBIZ-12602
> URL: https://issues.apache.org/jira/browse/OFBIZ-12602
> Project: OFBiz
> Issue Type: Bug
> Components: framework/webtools
> Affects Versions: 17.12.09, 18.12.05, Upcoming Branch
> Reporter: Ingo Wolfmayr
> Assignee: Jacques Le Roux
> Priority: Minor
> Fix For: 18.12.06, 22.01.01
>
> Attachments: OFBIZ-12602.patch
>
>
> When importing an entity like
>
> {code:java}
> <SystemProperty systemResourceId="catalog"
> systemPropertyId="image.server.path" systemPropertyValue="${sys:getProperty("ofbiz.home")}/themes/common-theme/webapp/images/${tenantId}" description="Image upload path on the server." lastUpdatedStamp="2022-04-14 12:00:12.597" lastUpdatedTxStamp="2022-04-14 12:00:12.596" createdStamp="2022-04-14 12:00:12.597" createdTxStamp="2022-04-14 12:00:12.596"/>{code}
>
> I get the following info message.
> {code:java}
> HTTP Status 403 – Forbidden
> Type Status Report
> Message Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields!
> Description The server understood the request but refuses to authorize it.
> {code}
> I do have the same problem when I try to update the value via entity mainainance. Importing an XML file works.
> Would it make sense to bypass the check if the user has the appropriate permissions?
>
>
--
This message was sent by Atlassian Jira
(v8.20.7#820007)