Improved: Prevent URL parameters manipulation (OFBIZ-13147)

I found that java.util.Base64 is not easy to use. Hopefully putting base64 in deniedWebShellTokens should be enough
apache · Oct 23, 2024 · 612ad73 · 612ad73
1 parent 891c41f
commit 612ad73
Showing 1 changed file with 1 addition and 6 deletions.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -23,7 +23,6 @@
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
 import java.util.Arrays;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -171,11 +170,7 @@ public void doFilter(HttpServletRequest req, HttpServletResponse resp, FilterCha
             String queryString = req.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || !SecuredUpload.isValidText(queryString, Collections.emptyList())
-                        || !SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(), Collections.emptyList())
-                        || !SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(), Collections.emptyList())
-                        || !SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(), Collections.emptyList())) { // ...
+                if (UtilValidate.isUrl(queryString) || !SecuredUpload.isValidText(queryString, Collections.emptyList())) {
                     Debug.logError("For security reason this URL is not accepted", MODULE);
                     throw new RuntimeException("For security reason this URL is not accepted");
                 }