Fixed: XML Import fails due to security check (OFBIZ-12602)

JacquesLeRoux · JacquesLeRoux · commit 5cc45e8701b4 · 2022-04-20T14:10:49.000+02:00
When importing an entity with "${" in for at least an element it's rejected
because of the security check done to protect from Freemarker unauth attacks
(see OFBIZ-12594).

As suggested by Ingo, allowing users with appropriate permissions seems an
usable solution. We still need to define the "appropriate permissions".
We can start with OFBTOOLS and WEBTOOLS, as it's reported by Ingo, and add
others later if they ever come.

Thanks: Ingo Wolfmayr for report and suggestion
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -134,10 +134,14 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
             if (offset == -1) {
                 offset = requestUri.length();
             }
-            if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
-                    && null == System.getProperty("SolrDispatchFilter") // Allows Solr tests
-                    && SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse, requestUri)) {
-                return;
+
+            GenericValue userLogin = (GenericValue) httpRequest.getSession().getAttribute("userLogin");
+            if (!LoginWorker.hasBasePermission(userLogin, httpRequest)) { // Allows UEL and FlexibleString (OFBIZ-12602)
+                if (!GenericValue.getStackTraceAsString().contains("ControlFilterTests")
+                        && null == System.getProperty("SolrDispatchFilter") // Allows Solr tests
+                        && SecurityUtil.containsFreemarkerInterpolation(httpRequest, httpResponse, requestUri)) {
+                    return;
+                }
             }
 
             while (!allowedPaths.contains(requestUri.substring(0, offset))) {
