diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java index 541cf7e91a..dc02f763f1 100644 --- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java +++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlFilter.java @@ -134,17 +134,19 @@ public void doFilter(ServletRequest request, ServletResponse response, FilterCha String requestUri = httpRequest.getRequestURI().substring(httpRequest.getContextPath().length()); // Reject wrong URLs - try { - String url = new URI(((HttpServletRequest) request).getRequestURL().toString()) - .normalize().toString() - .replaceAll(";", "") - .replaceAll("(?i)%2e", ""); - if (!((HttpServletRequest) request).getRequestURL().toString().equals(url)) { - Debug.logError("For security reason this URL is not accepted", module); - throw new RuntimeException("For security reason this URL is not accepted"); + if (!requestUri.matches("/control/logout;jsessionid=[A-Z0-9]{32}\\.jvm1")) { + try { + String url = new URI(((HttpServletRequest) request).getRequestURL().toString()) + .normalize().toString() + .replaceAll(";", "") + .replaceAll("(?i)%2e", ""); + if (!((HttpServletRequest) request).getRequestURL().toString().equals(url)) { + Debug.logError("For security reason this URL is not accepted", module); + throw new RuntimeException("For security reason this URL is not accepted"); + } + } catch (URISyntaxException e) { + throw new RuntimeException(e); } - } catch (URISyntaxException e) { - throw new RuntimeException(e); } int offset = requestUri.indexOf("/", 1);