You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/06/07 12:54:00 UTC

[jira] [Commented] (OFBIZ-12602) XML Import fails due to security check

    [ https://issues.apache.org/jira/browse/OFBIZ-12602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17550982#comment-17550982 ] 

ASF subversion and git services commented on OFBIZ-12602:
---------------------------------------------------------

Commit ae146e02efdfdd40e3f4153d5e2afca02481a091 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=ae146e02ef ]

Improved: XML Import fails due to security check (OFBIZ-12602)

Hide the "Received a null Security object from HttpServletRequest" warning when
ControlFilter is in the StackTrace.


> XML Import fails due to security check
> --------------------------------------
>
>                 Key: OFBIZ-12602
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-12602
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework/webtools
>    Affects Versions: 17.12.09, 18.12.05, Upcoming Branch
>            Reporter: Ingo Wolfmayr
>            Assignee: Jacques Le Roux
>            Priority: Minor
>             Fix For: 18.12.06, 22.01.01
>
>         Attachments: OFBIZ-12602.patch
>
>
> When importing an entity like
>  
> {code:java}
> <SystemProperty systemResourceId="catalog" 
> systemPropertyId="image.server.path" systemPropertyValue="${sys:getProperty("ofbiz.home")}/themes/common-theme/webapp/images/${tenantId}" description="Image upload path on the server." lastUpdatedStamp="2022-04-14 12:00:12.597" lastUpdatedTxStamp="2022-04-14 12:00:12.596" createdStamp="2022-04-14 12:00:12.597" createdTxStamp="2022-04-14 12:00:12.596"/>{code}
>  
> I get the following info message.
> {code:java}
> HTTP Status 403 – Forbidden
> Type Status Report
> Message Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields!
> Description The server understood the request but refuses to authorize it.
> {code}
> I do have the same problem when I try to update the value via entity mainainance. Importing an XML file works.
> Would it make sense to bypass the check if the user has the appropriate permissions?
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.7#820007)