Backport OFBIZ-11317

> Hi All,
>
> Even if OFBIZ-11306 does not directly depend upon it, it's safer to
> have been backported with it.
>
> If nobody disagree, I'll do so in a week
>
> Thanks
>
> Jacques
>

> Hi Michael,
>
> I'll backport to R17 and R17 because this will be needed to fix the
> CSRF vulnerability.
>
> I was not clear with my saying. Actually the CSRF fix (OFBIZ-11316)
> depends upon OFBIZ-11317 because the CSRF fix uses the ofbizURL macro
> to set the CSRF token.
>
> So without the changes in OFBIZ-11317 the ofbizURL macro would not
> apply to the cases fixed in OFBIZ-11317 and the CSRF vulnerability
> would not be fixed there.
>
> So I should not even ask this question, OFBIZ-11316 depends on
> OFBIZ-11317 so OFBIZ-11317 needs to be backported
>
> I set all that already (as the link between OFBIZ-11316 and
> OFBIZ-11317shows) but forgot about it.
>
> Case close, thanks to care.
>
> Jacques
>
> Le 12/02/2020 à 16:49, Michael Brohl a écrit :
>> Hi Jacques,
>>
>> what exactly are you going to do? And why?
>>
>> OFBIZ-11317 contains a huge patch and we should be really careful
>> backporting IMO.
>>
>> Regards,
>>
>> Michael Brohl
>>
>> ecomify GmbH - www.ecomify.de
>>
>>
>> Am 12.02.20 um 16:08 schrieb Jacques Le Roux:
>>> Hi All,
>>>
>>> Even if OFBIZ-11306 does not directly depend upon it, it's safer to
>>> have been backported with it.
>>>
>>> If nobody disagree, I'll do so in a week
>>>
>>> Thanks
>>>
>>> Jacques
>>>
>>

> Jacques,
>>
>> as I said, this is a huge patch which spreads over many functionalies
>> in the codebase.
>>
>> It was submitted yesterday and got committed on the same day without
>> enough time for others to review and test.
>
> You confuse, the commit you speak about was only to complete one
> missing instance, spotted by Pierre Smits, in the commit done one
> month ago.

>
> Since then James and I work on OFBIZ-11306 (and not OFBIZ-11316 as
> written below) without any issues related to OFBIZ-11317 on which
> OFBIZ-11306 depends upon.
>
> Actually we are working on it for 2 months. Only one month ago I
> suggested to James to extract this part.
>
>
>> You even acknowledged that you did not test.
>
> Of course I test, everyday for a month with OFBIZ-11306

>>
>> Yes, I confused the date (Jan vs. Feb, time goes by too quick).
>>
>> I speak of the commits towards
>> https://issues.apache.org/jira/browse/OFBIZ-11317. The issue was
>> created and on the same day it was committed. It was not yesterday
>> but the timeline between submit and commit is the same.
>
> I don't want to argue too much about that, so I hope it will be the
> end of this exchange. You are right about the Jira and commit moment,
> they are same.
>
> But I see 2 points here:
>
>  * It's something you can review in ½ a hour, if not even the "famous"
> 10 minutes. You can even use a regexp to help you...

> Le 13/02/2020 à 13:06, Michael Brohl a écrit :
>> There's currently only few questions left for me: we have one
>> configuration which uses
>> org.apache.ofbiz.webapp.ftl.OfbizUrlTransform for ofbizUrl and this
>> would not support the controlPath configuration if I don't miss
>> something. Wouldn't it be better to change this to UrlRegexpTransform
>> and deprecate OfbizUrlTransform?
>>
>> UrlRegexpTransform is located inside the product component but the
>> macro is used in several other components as well. I think it belongs
>> to the framework/webapp instead of applications/product. What do you
>> think?
>
> Hi Michael,
>
> I'm not sure to understand. Are you speaking about OFBiz OOTB?
>
> Because the changes in OFBIZ-11317 are only related to ofbizUrl,
> hence  org.apache.ofbiz.webapp.ftl.OfbizUrlTransform, so of course
> ofbizUrl supports the controlPath configuration. Also why would you
> want to replace OfbizUrlTransform by UrlRegexpTransform?
>
> Jacques
>

> Hi Michael,
>
> It's a long answer, but I think it's worth it.
>
> 1St, technically it's not my commit but James's ;)
>
> But I asked you, and reviewed/agreed with James's commit, so here we go.
>
> Your intuition was right, there is a problem with this patch. In some
> place, like at least themes/tomahawk/template/AppBarClose.ftl the CSRF
> token is not generated. Because in those places OfbizUrlTransform is
> used.
>
> An immediate solution is to add the CSRF token generation in
> OfbizUrlTransform class. I just did so at OFBIZ-11317
>
> But I agree that it's not satisfactory and your proposition to
> deprecate OfbizUrlTransform in favour of UrlRegexpTransform makes
> sense to me. That's mostly why I asked you a second time.
>
> Let's go a bit in the past. With  OFBIZ-5312, which was a major change
> started in 2013, we notably introduced UrlRegexpTransform.
> We used a Svn feature branch for that:
> http://svn.apache.org/viewvc?view=revision&revision=r1535432
>
> It's unrelated, but while at it since it was quite unfortunate, a
> conflict between Anil and Paul Piper (I was then working with Paul)
> started and I had to find a solution which ended with ecomseo.
> Fortunately OFBiz is flexible enough and eventually ecomseo is now a
> simple clone of the ecommerce webapp (like exampleext is for the
> example webapp). Everyone can pick her/his preferred one :).
>
> Now about OfbizUrlTransform vs UrlRegexpTransform: after OFBIZ-5312
> UrlRegexpTransform was the only one used for ofbizUrl macro.
> That stopped for good reason (Framework dependency on product
> component) in 2018 with Deepak's work on OFBIZ-10463.
> It also shows that during this period (3 years) nobody encountered and
> issue with UrlRegexpTransform used to generate ofbizUrl macro.
>
> So yes, we should definitely deprecate OfbizUrlTransform in favour of
> UrlRegexpTransform. But before that we need to be sure that
> UrlRegexpTransform would not miss a feature of OfbizUrlTransform.
> With OFBIZ-11229, Nicolas already started to merge UrlRegexpTransform
> and OfbizUrlTransform classes. This issue  is still open and we should
> use it to reach our goal.
> Maybe it's already OK and we have just to check. For that I'll soon
> attach a diff of the 2 classes at OFBIZ-11229
>
> Thanks to care!
>
> I wish a nice weekend to all of you.
>
> Jacques
>
> Le 14/02/2020 à 14:47, Michael Brohl a écrit :
>> Please have a closer look at your commit, the controlPath
>> functionality is implemented in the UrlRegexpTransform class...
>>
>> The implementing class for ofbizUrl is configured in the
>> freemarkerTransforms.properties which is OfbizurlTransform for
>> framework/webapp but UrlRegexpTransform for applications/product.
>>
>> This seems inconsistent to me.
>>
>> Thanks,
>>
>> Michael Brohl
>>
>> ecomify GmbH - www.ecomify.de
>>
>>
>> Am 14.02.20 um 14:24 schrieb Jacques Le Roux:
>>> Le 13/02/2020 à 13:06, Michael Brohl a écrit :
>>>> There's currently only few questions left for me: we have one
>>>> configuration which uses
>>>> org.apache.ofbiz.webapp.ftl.OfbizUrlTransform for ofbizUrl and this
>>>> would not support the controlPath configuration if I don't miss
>>>> something. Wouldn't it be better to change this to
>>>> UrlRegexpTransform and deprecate OfbizUrlTransform?
>>>>
>>>> UrlRegexpTransform is located inside the product component but the
>>>> macro is used in several other components as well. I think it
>>>> belongs to the framework/webapp instead of applications/product.
>>>> What do you think?
>>>
>>> Hi Michael,
>>>
>>> I'm not sure to understand. Are you speaking about OFBiz OOTB?
>>>
>>> Because the changes in OFBIZ-11317 are only related to ofbizUrl,
>>> hence org.apache.ofbiz.webapp.ftl.OfbizUrlTransform, so of course
>>> ofbizUrl supports the controlPath configuration. Also why would you
>>> want to replace OfbizUrlTransform by UrlRegexpTransform?
>>>
>>> Jacques
>>>
>>

> Hi Jacques,
>
> thanks for confirming my concerns.
>
> This is why I am advocating for longer review periods and RTC over CTR
> for new features/improvements, especially in the core functionality
> with potential to break something. More eyes help to detect potential
> problems and flaws, they just need some time.
>
> I will try to provide a patch for a proper deprecated
> OfbizUrlTransform class (delegating everything to UrlRegexpTransform
> and with annotations) which we will need for a proper backport where
> functional changes should not be implemented. User implementations
> might rely on the OfbizUrlTransform implementation.
>
> I've assigned https://issues.apache.org/jira/browse/OFBIZ-11229 to me
> for it.
>
> Thanks,
>
> Michael Brohl
>
> ecomify GmbH - www.ecomify.de
>
>
> Am 15.02.20 um 13:27 schrieb Jacques Le Roux:
>> Hi Michael,
>>
>> It's a long answer, but I think it's worth it.
>>
>> 1St, technically it's not my commit but James's ;)
>>
>> But I asked you, and reviewed/agreed with James's commit, so here we go.
>>
>> Your intuition was right, there is a problem with this patch. In some
>> place, like at least themes/tomahawk/template/AppBarClose.ftl the
>> CSRF token is not generated. Because in those places
>> OfbizUrlTransform is used.
>>
>> An immediate solution is to add the CSRF token generation in
>> OfbizUrlTransform class. I just did so at OFBIZ-11317
>>
>> But I agree that it's not satisfactory and your proposition to
>> deprecate OfbizUrlTransform in favour of UrlRegexpTransform makes
>> sense to me. That's mostly why I asked you a second time.
>>
>> Let's go a bit in the past. With  OFBIZ-5312, which was a major
>> change started in 2013, we notably introduced UrlRegexpTransform.
>> We used a Svn feature branch for that:
>> http://svn.apache.org/viewvc?view=revision&revision=r1535432
>>
>> It's unrelated, but while at it since it was quite unfortunate, a
>> conflict between Anil and Paul Piper (I was then working with Paul)
>> started and I had to find a solution which ended with ecomseo.
>> Fortunately OFBiz is flexible enough and eventually ecomseo is now a
>> simple clone of the ecommerce webapp (like exampleext is for the
>> example webapp). Everyone can pick her/his preferred one :).
>>
>> Now about OfbizUrlTransform vs UrlRegexpTransform: after OFBIZ-5312
>> UrlRegexpTransform was the only one used for ofbizUrl macro.
>> That stopped for good reason (Framework dependency on product
>> component) in 2018 with Deepak's work on OFBIZ-10463.
>> It also shows that during this period (3 years) nobody encountered
>> and issue with UrlRegexpTransform used to generate ofbizUrl macro.
>>
>> So yes, we should definitely deprecate OfbizUrlTransform in favour of
>> UrlRegexpTransform. But before that we need to be sure that
>> UrlRegexpTransform would not miss a feature of OfbizUrlTransform.
>> With OFBIZ-11229, Nicolas already started to merge UrlRegexpTransform
>> and OfbizUrlTransform classes. This issue  is still open and we
>> should use it to reach our goal.
>> Maybe it's already OK and we have just to check. For that I'll soon
>> attach a diff of the 2 classes at OFBIZ-11229
>>
>> Thanks to care!
>>
>> I wish a nice weekend to all of you.
>>
>> Jacques
>>
>> Le 14/02/2020 à 14:47, Michael Brohl a écrit :
>>> Please have a closer look at your commit, the controlPath
>>> functionality is implemented in the UrlRegexpTransform class...
>>>
>>> The implementing class for ofbizUrl is configured in the
>>> freemarkerTransforms.properties which is OfbizurlTransform for
>>> framework/webapp but UrlRegexpTransform for applications/product.
>>>
>>> This seems inconsistent to me.
>>>
>>> Thanks,
>>>
>>> Michael Brohl
>>>
>>> ecomify GmbH - www.ecomify.de
>>>
>>>
>>> Am 14.02.20 um 14:24 schrieb Jacques Le Roux:
>>>> Le 13/02/2020 à 13:06, Michael Brohl a écrit :
>>>>> There's currently only few questions left for me: we have one
>>>>> configuration which uses
>>>>> org.apache.ofbiz.webapp.ftl.OfbizUrlTransform for ofbizUrl and
>>>>> this would not support the controlPath configuration if I don't
>>>>> miss something. Wouldn't it be better to change this to
>>>>> UrlRegexpTransform and deprecate OfbizUrlTransform?
>>>>>
>>>>> UrlRegexpTransform is located inside the product component but the
>>>>> macro is used in several other components as well. I think it
>>>>> belongs to the framework/webapp instead of applications/product.
>>>>> What do you think?
>>>>
>>>> Hi Michael,
>>>>
>>>> I'm not sure to understand. Are you speaking about OFBiz OOTB?
>>>>
>>>> Because the changes in OFBIZ-11317 are only related to ofbizUrl,
>>>> hence org.apache.ofbiz.webapp.ftl.OfbizUrlTransform, so of course
>>>> ofbizUrl supports the controlPath configuration. Also why would you
>>>> want to replace OfbizUrlTransform by UrlRegexpTransform?
>>>>
>>>> Jacques
>>>>
>>>
>