From 94e40f98620d0a98ea96af49209e4b303a1c925c Mon Sep 17 00:00:00 2001
From: Jacques Le Roux <jacques.le.roux@les7arts.com>
Date: Wed, 23 Oct 2024 16:48:20 +0200
Subject: [PATCH] Improved: Prevent URL parameters manipulation (OFBIZ-13147)

Allows Solr tests to pass, so far so good...

 Conflict handled by hand
---
 .../java/org/apache/ofbiz/webapp/control/ControlFilter.java | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
index ca96be12e6..8d56123775 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -142,9 +142,11 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             String queryString = httpRequest.getQueryString();
             if (queryString != null) {
                 queryString = URLDecoder.decode(queryString, "UTF-8");
+                // wt=javabin allows Solr tests, see https://cwiki.apache.org/confluence/display/solr/javabin
                 if (UtilValidate.isUrl(queryString)
-                        || (!SecuredUpload.isValidText(queryString, Collections.emptyList())
-                                && !queryString.contains("JavaScriptEnabled=Y"))) {
+                        || !SecuredUpload.isValidText(queryString, Collections.emptyList())
+                                && !(queryString.contains("JavaScriptEnabled=Y")
+                                        || queryString.contains("wt=javabin"))) {
                     Debug.logError("For security reason this URL is not accepted", module);
                     throw new RuntimeException("For security reason this URL is not accepted");
                 }