OFBiz OFBiz - Commits

[ofbiz-framework] branch trunk updated: Fixed: Server-Side Template Injection using Static (OFBIZ-11871)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated: Fixed: Server-Side Template Injection using Static (OFBIZ-11871)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new e8dd3c6  Fixed: Server-Side Template Injection using Static (OFBIZ-11871)
e8dd3c6 is described below

commit e8dd3c609cd50d757bf0db8263f5ca14c00d2f0f
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Mon Aug 3 10:23:40 2020 +0200

    Fixed: Server-Side Template Injection using Static (OFBIZ-11871)
   
    Thanks to Alvaro's explanations, the problem was in MacroFormRenderer where, for
    lookups, we retrieve _LAST_VIEW_NAME_ as a parameter without encoding it.
   
    I have added getEncodedParameter method in UtilHttp and removed now useless
    (after OFBIZ-11907) getEnvironment from MacroFormRenderer.java
   
    Thanks: Alvaro for advice
---
 .../src/main/java/org/apache/ofbiz/base/util/UtilHttp.java  | 13 ++++++++++++-
 .../ofbiz/widget/renderer/macro/MacroFormRenderer.java      | 13 ++-----------
 2 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
index 342583c..b09c3ce 100644
--- a/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
+++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
@@ -31,8 +31,10 @@ import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.OutputStream;
+import java.io.UnsupportedEncodingException;
 import java.net.FileNameMap;
 import java.net.URLConnection;
+import java.net.URLEncoder;
 import java.nio.ByteBuffer;
 import java.sql.Timestamp;
 import java.time.LocalDateTime;
@@ -756,7 +758,7 @@ public final class UtilHttp {
      * check first the parameter _method before return the request method
      *
      * @param request
-     * @return
+     * @return method
      */
     public static String getRequestMethod(HttpServletRequest request) {
         return request.getParameter("_method") != null
@@ -1049,6 +1051,15 @@ public final class UtilHttp {
         return buf.toString();
     }
 
+    /**
+     * Encodes a query parameter
+     *
+     * @throws UnsupportedEncodingException
+     */
+    public static String getEncodedParameter(String parameter) throws UnsupportedEncodingException {
+        return URLEncoder.encode(parameter, "UTF-8");
+    }
+
     public static String getRequestUriFromTarget(String target) {
         if (UtilValidate.isEmpty(target)) {
             return null;
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
index e09234f..2c1642f 100644
--- a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
+++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -38,7 +38,6 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
-import org.apache.ofbiz.security.CsrfUtil;
 import org.apache.ofbiz.base.util.Debug;
 import org.apache.ofbiz.base.util.StringUtil;
 import org.apache.ofbiz.base.util.UtilCodec;
@@ -51,6 +50,7 @@ import org.apache.ofbiz.base.util.UtilValidate;
 import org.apache.ofbiz.base.util.string.FlexibleStringExpander;
 import org.apache.ofbiz.base.util.template.FreeMarkerWorker;
 import org.apache.ofbiz.entity.Delegator;
+import org.apache.ofbiz.security.CsrfUtil;
 import org.apache.ofbiz.webapp.control.RequestHandler;
 import org.apache.ofbiz.webapp.taglib.ContentUrlTag;
 import org.apache.ofbiz.widget.WidgetWorker;
@@ -171,16 +171,6 @@ public final class MacroFormRenderer implements FormStringRenderer {
         ftlWriter.executeMacro(writer, macro);
     }
 
-    private Environment getEnvironment(Appendable writer) throws TemplateException, IOException {
-        Environment environment = environments.get(writer);
-        if (environment == null) {
-            Map<String, Object> input = UtilMisc.toMap("key", null);
-            environment = FreeMarkerWorker.renderTemplate(macroLibrary, input, writer);
-            environments.put(writer, environment);
-        }
-        return environment;
-    }
-
     private String encode(String value, ModelFormField modelFormField, Map<String, Object> context) {
         if (UtilValidate.isEmpty(value)) {
             return value;
@@ -2322,6 +2312,7 @@ public final class MacroFormRenderer implements FormStringRenderer {
         if (UtilValidate.isEmpty(lastViewName)) {
             lastViewName = "";
         }
+        lastViewName = UtilHttp.getEncodedParameter(lastViewName);
         String tabindex = modelFormField.getTabindex();
         StringWriter sr = new StringWriter();
         sr.append("<@renderLookupField ");

Free forum by Nabble Edit this page