Fixed: Logout may create a "HTTP Status 500 - Internal Server Error" …

…(OFBIZ-13136) Using <tracking-mode>COOKIE</tracking-mode> did not work. A workaround is to check we don't need to handle the CVE-2024-32113, bypassing by using if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
apache · Sep 8, 2024 · ff72e55 · ff72e55 · saicharanreddykowkuntla · Sep 26, 2024
1 parent 1940a9d
commit ff72e55
Showing 1 changed file with 12 additions and 10 deletions.
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java
@@ -134,17 +134,19 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha
  String requestUri = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length());
 
  // Reject wrong URLs
- try {
- String url = new URI(((HttpServletRequest) request).getRequestURL().toString())
- .normalize().toString()
- .replaceAll(";", "")
- .replaceAll("(?i)%2e", "");
- if (!((HttpServletRequest) request).getRequestURL().toString().equals(url)) {
- Debug.logError("For security reason this URL is not accepted", module);
- throw new RuntimeException("For security reason this URL is not accepted");
+ if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) {
+ try {
+ String url = new URI(((HttpServletRequest) request).getRequestURL().toString())
+ .normalize().toString()
+ .replaceAll(";", "")
+ .replaceAll("(?i)%2e", "");
+ if (!((HttpServletRequest) request).getRequestURL().toString().equals(url)) {
+ Debug.logError("For security reason this URL is not accepted", module);
+ throw new RuntimeException("For security reason this URL is not accepted");
+ }
+ } catch (URISyntaxException e) {
+ throw new RuntimeException(e);
  }
- } catch (URISyntaxException e) {
- throw new RuntimeException(e);
  }
 
  int offset = requestUri.indexOf("/", 1);