Improved: Prevent Freemarker interpolation in fields (OFBIZ-12594)

JacquesLeRoux · JacquesLeRoux · commit 3797e6037569 · 2022-04-04T09:32:34.000+02:00
OFBIZ_12587 is a definitive solution to prevent any kind of Freemarker exploits.
But it's hard to realise because OFBiz exposes objects, like attributes from the
Servlet scopes. So in the meantime preventing Freemarker interpolation in fields
is a pragmatic solution.

This is an improvement but needs to be backported because it kinda affects
security

Conflicts handled by hand
  SeoContextFilter.java
  ControlFilter.java

When I worked with Mathieu I did not measure how it will be hard sometimes to
backport later :/

Also due to checkstyle module to MODULE change is always a pain in the ass :/
diff --git a/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java b/framework/security/src/main/java/org/apache/ofbiz/security/SecurityUtil.java
@@ -231,7 +231,7 @@ public static boolean containsFreemarkerInterpolation(HttpServletResponse resp,
                 || stringToCheck.contains("%5B%23") || stringToCheck.contains("[#")) { // not used OOTB in OFBiz, but possible
 
             Debug.logError("===== Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields! =====",
-                    MODULE);
+                    module);
             resp.sendError(HttpServletResponse.SC_FORBIDDEN,
                     "Not saved for security reason, strings '${', '<#', '#{', '[=' or '[#' not accepted in fields!");
             return true;
