svn commit: r1761978 - /ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1761978 - /ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java

jleroux@apache.org
Author: jleroux
Date: Thu Sep 22 16:52:56 2016
New Revision: 1761978

URL: http://svn.apache.org/viewvc?rev=1761978&view=rev
Log:
Fixes: Sorting of lists generates undesired results
(OFBIZ-8302)

This was due to r1759555 has Scott spotted on. r1759555 fixed a vulnerability
but as explained in r1759555 commit message we used
>2 redundant mechanisms (better safe than sorry):
>1) linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
>2) sr.append("\" linkUrl=r\"");

Removing the 1st way fixes the reported issue and we are still safe.

I'll have a look at how the catalog/control/FindProduct URL is generated to be
sure it's OK as is

Thanks: Pierre for report, Scott for spotting the issue.

Modified:
    ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java

Modified: ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java?rev=1761978&r1=1761977&r2=1761978&view=diff
==============================================================================
--- ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java (original)
+++ ofbiz/trunk/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java Thu Sep 22 16:52:56 2016
@@ -22,7 +22,6 @@ import java.io.IOException;
 import java.io.Reader;
 import java.io.StringReader;
 import java.io.StringWriter;
-import java.net.URLEncoder;
 import java.rmi.server.UID;
 import java.sql.Timestamp;
 import java.util.HashSet;
@@ -2867,7 +2866,6 @@ public final class MacroFormRenderer imp
             String newQueryString = sb.toString();
             String urlPath = UtilHttp.removeQueryStringFromTarget(paginateTarget);
             linkUrl = rh.makeLink(this.request, this.response, urlPath.concat(newQueryString));
-            linkUrl = URLEncoder.encode(linkUrl, "UTF-8");
         }
         StringWriter sr = new StringWriter();
         sr.append("<@renderSortField ");