OFBiz › OFBiz - Dev

Re: [ofbiz-framework] branch trunk updated: Improved: no functional change

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

3 messages Options

jleroux@apache.org

Re: [ofbiz-framework] branch trunk updated: Improved: no functional change

I have finally decided to backport this (low) security issue.

It's easy to do so, better to be safe than sorry.

Jacques

Le 20/03/2020 à 10:51, [hidden email] a écrit :

> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new b6a796c Improved: no functional change
> b6a796c is described below
>
> commit b6a796cbdfc662459a4b52a01f0a9b67c18e7c30
> Author: Jacques Le Roux <[hidden email]>
> AuthorDate: Fri Mar 20 10:51:49 2020 +0100
>
> Improved: no functional change
>
> Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl
> Because this page is used as a HTTP 500 error it's more susceptible to
> clickjacking
>
> Quoting OWASP ZAP:
> This problem still applies to error-type pages (401, 403, 500, etc.), as these
> pages are still often affected by injection problems, in which case it is still
> possible that browsers may interpret pages differently from their actual content
> type.
>
> I tried to work on other file types that were also reported but it's complicated
> adn I believe it's not worth it
> ---
> themes/common-theme/template/ErrorPage.ftl | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/themes/common-theme/template/ErrorPage.ftl b/themes/common-theme/template/ErrorPage.ftl
> index 47f7caf..9be67b0 100644
> --- a/themes/common-theme/template/ErrorPage.ftl
> +++ b/themes/common-theme/template/ErrorPage.ftl
> @@ -19,6 +19,7 @@ under the License.
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
> <html>
> <head>
> + <meta http-equiv="Content-Security-Policy" frame-ancestors="self">
> <title>500 Internal error</title>
> <style>
> body{
>

Michael Brohl-3

Re: [ofbiz-framework] branch trunk updated: Improved: no functional change

Hi Jacques,

the commit message is confusing, especially when you just read the
headline in the commit history. Why not simply write

"Improved: adds /uploads/ to runtime/.gitignore" ?

Thanks,

Michael

Am 24.03.20 um 18:31 schrieb [hidden email]:

smime.p7s (5K) Download Attachment

Jacques Le Roux

Re: [ofbiz-framework] branch trunk updated: Improved: no functional change

Administrator

Hi Michael,

Makes sense, I'll try to remember for next time

Jacques

Le 24/03/2020 à 21:14, Michael Brohl a écrit :

> Hi Jacques,
>
> the commit message is confusing, especially when you just read the headline in the commit history. Why not simply write
>
> "Improved: adds /uploads/ to runtime/.gitignore" ?
>
> Thanks,
>
> Michael
>
>
> Am 24.03.20 um 18:31 schrieb [hidden email]:
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> jleroux pushed a commit to branch trunk
>> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>>
>>
>> The following commit(s) were added to refs/heads/trunk by this push:
>>       new 11c0ce6 Improved: no functional change
>> 11c0ce6 is described below
>>
>> commit 11c0ce6d55b9ffc0124354bae8f5d9746bf5681e
>> Author: Jacques Le Roux <[hidden email]>
>> AuthorDate: Tue Mar 24 18:31:54 2020 +0100
>>
>>      Improved: no functional change
>>           Adds /uploads/ in .runtime/.gitignore
>> ---
>> runtime/.gitignore | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/runtime/.gitignore b/runtime/.gitignore
>> index f4a9877..290c994 100644
>> --- a/runtime/.gitignore
>> +++ b/runtime/.gitignore
>> @@ -6,3 +6,4 @@
>> /tmp
>> /tempfiles
>> /output
>> +/uploads/
>>
>