Skip to content

Commit

Permalink
Fixed: XML Import fails due to security check (OFBIZ-12602)
Browse files Browse the repository at this point in the history
When importing an entity with "${" in for at least an element it's rejected
because of the security check done to protect from Freemarker unauth attacks
(see OFBIZ-12594).

As suggested by Ingo, allowing users with appropriate permissions seems an
usable solution. We still need to define the "appropriate permissions".
We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add
others later if they ever come.

Thanks: Ingo Wolfmayr for report and suggestion
  • Loading branch information
JacquesLeRoux committed Apr 20, 2022
1 parent 63ecc05 commit 5cc45e8
Showing 1 changed file with 8 additions and 4 deletions.
Expand Up @@ -134,10 +134,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
if (offset == -1) {
offset = requestUri.length();
}
if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
&& null == System.getProperty("SolrDispatchFilter") // Allows Solr tests
&& SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse, requestUri)) {
return;

GenericValue userLogin = (GenericValue) httpRequest.getSession().getAttribute("userLogin");
if (!LoginWorker.hasBasePermission(userLogin, httpRequest)) { // Allows UEL and FlexibleString (OFBIZ-12602)
if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
&& null == System.getProperty("SolrDispatchFilter") // Allows Solr tests
&& SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse, requestUri)) {
return;
}
}

while (!allowedPaths.contains(requestUri.substring(0, offset))) {
Expand Down

0 comments on commit 5cc45e8

Please sign in to comment.