[ofbiz-framework] branch release18.12 updated: Fixed: Server-Side Template Injection using Static (OFBIZ-11871)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Server-Side Template Injection using Static (OFBIZ-11871)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 1866a3c  Fixed: Server-Side Template Injection using Static (OFBIZ-11871)
1866a3c is described below

commit 1866a3c4649f282c877563d0108b8f45b0c62042
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Aug 3 10:23:40 2020 +0200

    Fixed: Server-Side Template Injection using Static (OFBIZ-11871)
   
    Thanks to Alvaro's explanations, the problem was in MacroFormRenderer where, for
    lookups, we retrieve _LAST_VIEW_NAME_ as a parameter without encoding it.
   
    Thanks: Alvaro for advice
   
    Conflicts handled by hand in UtilHttp.java
---
 .../src/main/java/org/apache/ofbiz/base/util/UtilHttp.java    | 11 +++++++++++
 .../apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java |  1 +
 2 files changed, 12 insertions(+)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index b54d613..d063719 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -27,8 +27,10 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
 import java.net.FileNameMap;
 import java.net.URLConnection;
+import java.net.URLEncoder;
 import java.nio.ByteBuffer;
 import java.sql.Timestamp;
 import java.util.ArrayList;
@@ -1012,6 +1014,15 @@ public final class UtilHttp {
         return buf.toString();
     }
 
+    /**
+     * Encodes a query parameter
+     *
+     * @throws UnsupportedEncodingException
+     */
+    public static String getEncodedParameter(String parameter) throws UnsupportedEncodingException {
+        return URLEncoder.encode(parameter, "UTF-8");
+    }
+
     public static String getRequestUriFromTarget(String target) {
         if (UtilValidate.isEmpty(target)) {
             return null;
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
index 08a92a0..285c2c1 100644
--- a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
+++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -2237,6 +2237,7 @@ public final class MacroFormRenderer implements FormStringRenderer {
         if (UtilValidate.isEmpty(lastViewName)) {
             lastViewName = "";
         }
+        lastViewName = UtilHttp.getEncodedParameter(lastViewName);
         String tabindex = modelFormField.getTabindex();
         StringWriter sr = new StringWriter();
         sr.append("<@renderLookupField ");