Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Allows JavaScriptEnabled=Y to pass. Conflict handled by hand
apache · Oct 23, 2024 · 84ff5ee · 84ff5ee
1 parent 166bbdf
commit 84ff5ee
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -142,7 +142,9 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             String queryString = httpRequest.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
-                if (UtilValidate.isUrl(queryString) || !SecuredUpload.isValidText(queryString, Collections.emptyList())) {
+                if (UtilValidate.isUrl(queryString)
+                        || (!SecuredUpload.isValidText(queryString, Collections.emptyList())
+                                && !queryString.contains("JavaScriptEnabled=Y"))) {
                     Debug.logError("For security reason this URL is not accepted", module);
                     throw new RuntimeException("For security reason this URL is not accepted");
                 }