From 2bff041ab1bdb5ccadbaea394a202c194b50dd6a Mon Sep 17 00:00:00 2001 From: Jacopo Cappellato Date: Tue, 7 Apr 2026 12:08:00 +0200 Subject: [PATCH] Fixed: Validate last view name input in RequestHandler to enhance security and prevent user manipulation (cherry picked from commit d387aea38738e13679aeacc51f707e92894e3bd1) --- .../org/apache/ofbiz/webapp/control/RequestHandler.java | 6 ++++-- .../ofbiz/widget/renderer/macro/MacroFormRenderer.java | 7 ++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java index ec3a84c1ce2..4de5a24f06b 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java @@ -1171,8 +1171,10 @@ private void renderView(String view, boolean allowExtView, HttpServletRequest re // add in the attributes as well so everything needed for the rendering context will be in place if/when we get back to this view paramMap.putAll(UtilHttp.getAttributeMap(req)); UtilMisc.makeMapSerializable(paramMap); - // Used by lookups to keep the real view (request) - req.getSession().setAttribute("_LAST_VIEW_NAME_", paramMap.getOrDefault("_LAST_VIEW_NAME_", view)); + // Used by lookups to keep the real view (request); accept the request parameter only if it is a safe view name (alphanumeric/dash/underscore) + String lastViewNameParam = (String) paramMap.get("_LAST_VIEW_NAME_"); + String lastViewName = (lastViewNameParam != null && lastViewNameParam.matches("[\\w\\-]+")) ? lastViewNameParam : view; + req.getSession().setAttribute("_LAST_VIEW_NAME_", lastViewName); req.getSession().setAttribute("_LAST_VIEW_PARAMS_", paramMap); if ("SAVED".equals(saveName)) { diff --git a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java index ce6ca15a5b6..d6c7fee75e5 100644 --- a/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java +++ b/framework/widget/src/main/java/org/apache/ofbiz/widget/renderer/macro/MacroFormRenderer.java @@ -1483,11 +1483,8 @@ public void renderLookupField(Appendable writer, Map context, Lo if (showDescription == null) { showDescription = "Y".equals(visualTheme.getModelTheme().getLookupShowDescription()); } - // lastViewName, used by lookup to remember the real last view name - String lastViewName = request.getParameter("_LAST_VIEW_NAME_"); // Try to get it from parameters firstly - if (UtilValidate.isEmpty(lastViewName)) { // get from session - lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_"); - } + // lastViewName, used by lookup to remember the real last view name; read only from session (set by RequestHandler) to prevent user input + String lastViewName = (String) request.getSession().getAttribute("_LAST_VIEW_NAME_"); if (UtilValidate.isEmpty(lastViewName)) { lastViewName = ""; }