[
https://issues.apache.org/jira/browse/OFBIZ-8302?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17224187#comment-17224187 ]
ASF subversion and git services commented on OFBIZ-8302:
--------------------------------------------------------
Commit cd242ea34ce38a0bb0182359ac2ed4f7952104b9 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux
[
https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=cd242ea ]
Fixed: Sorting of lists generates undesired results (OFBIZ-8302)
For this issue (OFBIZ-8302) I reverted the point 1 of
http://svn.apache.org/viewvc?view=revision&revision=1759555As reported by Alvaro Munoz from GH security team it's not sufficient:
<<the second part of the fix was not effective, since the attacker can close the
raw string context with a double quote and write a new attribute or even close
the macro tag and write arbitrary FreeMarker code.>>
So this removes the 2nd part and add better solution to fix the OFBIZ-8302 issue
The solution is to encode only the QueryString and to handle it correctly in
UtilHttp::getParameterMap. I must say it was not a sinecure!
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
