diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java index ec3a84c1ce2..4de5a24f06b 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java @@ -1171,8 +1171,10 @@ private void renderView(String view, boolean allowExtView, HttpServletRequest re // add in the attributes as well so everything needed for the rendering context will be in place if/when we get back to this view paramMap.putAll(UtilHttp.getAttributeMap(req)); UtilMisc.makeMapSerializable(paramMap); - // Used by lookups to keep the real view (request) - req.getSession().setAttribute("_LAST_VIEW_NAME_", paramMap.getOrDefault("_LAST_VIEW_NAME_", view)); + // Used by lookups to keep the real view (request); accept the request parameter only if it is a safe view name (alphanumeric/dash/underscore) + String lastViewNameParam = (String) paramMap.get("_LAST_VIEW_NAME_"); + String lastViewName = (lastViewNameParam != null && lastViewNameParam.matches("[\\w\\-]+")) ? lastViewNameParam : view; + req.getSession().setAttribute("_LAST_VIEW_NAME_", lastViewName); req.getSession().setAttribute("_LAST_VIEW_PARAMS_", paramMap); if ("SAVED".equals(saveName)) { diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java index ce6ca15a5b6..d6c7fee75e5 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java @@ -1483,11 +1483,8 @@ public void renderLookupField(Appendable writer, Map context, Lo if (showDescription == null) { showDescription = "Y".equals(visualTheme.getModelTheme().getLookupShowDescription()); } - // lastViewName, used by lookup to remember the real last view name - String lastViewName = request.getParameter("_LAST_VIEW_NAME_"); // Try to get it from parameters firstly - if (UtilValidate.isEmpty(lastViewName)) { // get from session - lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_"); - } + // lastViewName, used by lookup to remember the real last view name; read only from session (set by RequestHandler) to prevent user input + String lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_"); if (UtilValidate.isEmpty(lastViewName)) { lastViewName = ""; }