[
https://issues.apache.org/jira/browse/OFBIZ-8302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17224184#comment-17224184 ]
ASF subversion and git services commented on OFBIZ-8302:
--------------------------------------------------------
Commit 9cfd5a73e1a1a8df1056a025b4180e991905b76a in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux
[
https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9cfd5a7 ]
Fixed: Sorting of lists generates undesired results (OFBIZ-8302)
For this issue (OFBIZ-8302) I reverted the point 1 of
http://svn.apache.org/viewvc?view=revision&revision=1759555As reported by Alvaro Munoz from GH security team it's not sufficient:
<<the second part of the fix was not effective, since the attacker can close the
raw string context with a double quote and write a new attribute or even close
the macro tag and write arbitrary FreeMarker code.>>
So this removes the 2nd part and add better solution to fix the OFBIZ-8302 issue
The solution is to encode only the QueryString and to handle it correctly in
UtilHttp::getParameterMap. I must say it was not a sinecure!
# Conflicts:
# framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
# framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
