Fixed: Validate last view name input in RequestHandler to enhance security and prevent user manipulation

jacopoc · jacopoc · commit 7e9f93e33ddf · 2026-04-07T13:06:58.000+02:00
(cherry picked from commit d387aea)
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -1171,8 +1171,10 @@ private void renderView(String view, boolean allowExtView, HttpServletRequest re
         // add in the attributes as well so everything needed for the rendering context will be in place if/when we get back to this view
         paramMap.putAll(UtilHttp.getAttributeMap(req));
         UtilMisc.makeMapSerializable(paramMap);
-        // Used by lookups to keep the real view (request)
-        req.getSession().setAttribute("_LAST_VIEW_NAME_", paramMap.getOrDefault("_LAST_VIEW_NAME_", view));
+        // Used by lookups to keep the real view (request); accept the request parameter only if it is a safe view name (alphanumeric/dash/underscore)
+        String lastViewNameParam = (String) paramMap.get("_LAST_VIEW_NAME_");
+        String lastViewName = (lastViewNameParam != null && lastViewNameParam.matches("[\\w\\-]+")) ? lastViewNameParam : view;
+        req.getSession().setAttribute("_LAST_VIEW_NAME_", lastViewName);
         req.getSession().setAttribute("_LAST_VIEW_PARAMS_", paramMap);
 
         if ("SAVED".equals(saveName)) {
diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java
@@ -1483,11 +1483,8 @@ public void renderLookupField(Appendable writer, Map<String, Object> context, Lo
         if (showDescription == null) {
             showDescription = "Y".equals(visualTheme.getModelTheme().getLookupShowDescription());
         }
-        // lastViewName, used by lookup to remember the real last view name
-        String lastViewName = request.getParameter("_LAST_VIEW_NAME_"); // Try to get it from parameters firstly
-        if (UtilValidate.isEmpty(lastViewName)) { // get from session
-            lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_");
-        }
+        // lastViewName, used by lookup to remember the real last view name; read only from session (set by RequestHandler) to prevent user input
+        String lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_");
         if (UtilValidate.isEmpty(lastViewName)) {
             lastViewName = "";
         }

Original file line number	Diff line number	Diff line change
`@@ -1483,11 +1483,8 @@ public void renderLookupField(Appendable writer, Map<String, Object> context, Lo`
`1483`	`1483`	`if (showDescription == null) {`
`1484`	`1484`	`showDescription = "Y".equals(visualTheme.getModelTheme().getLookupShowDescription());`
`1485`	`1485`	`}`
`1486`		`- // lastViewName, used by lookup to remember the real last view name`
`1487`		`- String lastViewName = request.getParameter("_LAST_VIEW_NAME_"); // Try to get it from parameters firstly`
`1488`		`- if (UtilValidate.isEmpty(lastViewName)) { // get from session`
`1489`		`- lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_");`
`1490`		`- }`
	`1486`	`+ // lastViewName, used by lookup to remember the real last view name; read only from session (set by RequestHandler) to prevent user input`
	`1487`	`+ String lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_");`
`1491`	`1488`	`if (UtilValidate.isEmpty(lastViewName)) {`
`1492`	`1489`	`lastViewName = "";`
`1493`	`1490`	`}`