Fixed: Avoid exploit using .. special name in request uri.

Before, a user could bypass webapp filter rules using `..` notation allowing to access to the complete docBase provided by tomcat. Example `w3m https://localhost:8443/partymgr/control/../a.txt` could be used to access `a.txt` file in partymgr webapp, even though `control` is needed to pass filter rules.
apache · Dec 15, 2023 · d7456c9 · d7456c9
1 parent 82c1737
commit d7456c9
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -19,6 +19,7 @@
 package org.apache.ofbiz.webapp.control;
 
 import java.io.IOException;
+import java.nio.file.Paths;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -130,6 +131,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             // check to make sure the requested url is allowed
             // get the request URI without the webapp mount point
             String requestUri = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
+
+            // normalize to remove ".." special name usage to bypass webapp filter
+            requestUri = Paths.get(requestUri).normalize().toString();
             int offset = requestUri.indexOf("/", 1);
             if (offset == -1) {
                 offset = requestUri.length();