Improved: Prevent URL parameters manipulation (OFBIZ-13147)

I found that java.util.Base64 is not easy to use. Hopefully putting base64 in deniedWebShellTokens should be enough Conflicts handled by hand
apache · Oct 23, 2024 · 7c986a6 · 7c986a6
1 parent 2a60c0b
commit 7c986a6
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -22,7 +22,6 @@
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URLDecoder;
-import java.util.Base64;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
@@ -143,12 +142,8 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             String queryString = httpRequest.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString)
-                        || !SecuredUpload.isValidText(queryString, Collections.emptyList())
-                        || !SecuredUpload.isValidText(Base64.getDecoder().decode(queryString).toString(), Collections.emptyList())
-                        || !SecuredUpload.isValidText(Base64.getMimeDecoder().decode(queryString).toString(), Collections.emptyList())
-                        || !SecuredUpload.isValidText(Base64.getUrlDecoder().decode(queryString).toString(), Collections.emptyList())) { // ...
-                    Debug.logError("For security reason this URL is not accepted", module);
+                if (UtilValidate.isUrl(queryString) || !SecuredUpload.isValidText(queryString, Collections.emptyList())) {
+                    Debug.logError("For security reason this URL is not accepted", MODULE);
                     throw new RuntimeException("For security reason this URL is not accepted");
                 }
             }