[jira] Created: (OFBIZ-2189) Error occurs using XML-Import from webtools

Error occurs using XML-Import from webtools
-------------------------------------------

                 Key: OFBIZ-2189
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2189
             Project: OFBiz
          Issue Type: Bug
          Components: framework
    Affects Versions: SVN trunk
            Reporter: Ashish Nagar
             Fix For: SVN trunk


While using uploading Entity Engine XML documents , error is occuring
[  ServiceDispatcher.java:368:ERROR]
---- exception report ----------------------------------------------------------
Incoming context (in runSync : entityImport) does not match expected requirements
Exception: org.ofbiz.service.ServiceValidationException
Message: In field [fulltext] greater-than (>) and less-than (<) symbols are not allowed.
---- stack trace ---------------------------------------------------------------
org.ofbiz.service.ServiceValidationException: In field [fulltext] greater-than (>) and less-than (<) symbols are not allowed.




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ashish Nagar updated OFBIZ-2189:
--------------------------------

    Attachment: OFBIZ-2189.patch

This error is due to statement in line no. 487 of StringUtil.java.
If this condition "if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {", is replaced by "if (value.indexOf("<") > 0 || value.indexOf(">") == 0) {" condition, then the error gets resolved.

I am providing the patch for this file

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673281#action_12673281 ]

Markus Studer commented on OFBIZ-2189:
--------------------------------------

The problem is related to the recent security changes.

XML Data Import allows to enter "Complete XML document" directly and uses the service entityImport and enters the data into the field fullText. This field gets validate to not include those < and > characters (new default behaviour). It is possible to override this behaviour on the service definition on attribute level (i.e. for field fullText) but I am not sure, what consequences that has from security point of view.

The patch you provided doesn't help as it "deactivates" the checks for < and >

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673301#action_12673301 ]

David E. Jones commented on OFBIZ-2189:
---------------------------------------

Yes, this patch basically disables the check in many situations and must not be committed.

In general framework changes for isolated cases is a sign of the framework not being used correctly, and as Markus said this is just an issue with that particular instance and we don't want to change the default behavior of checking for HTML, we just want to change the config on the one service to allow HTML.

In this case it should be allow-html="any" because the incoming text is not HTML, it is XML and is validated separately, so HTML checking is not needed and doesn't make sense.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David E. Jones updated OFBIZ-2189:
----------------------------------

    Attachment:     (was: OFBIZ-2189.patch)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David E. Jones closed OFBIZ-2189.
---------------------------------

    Resolution: Fixed
      Assignee: David E. Jones

Fixed in rev 744177.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12673478#action_12673478 ]

Ashish Nagar commented on OFBIZ-2189:
-------------------------------------

Thanks David for providing fix for this issue.But i still have some doubts on that statement of StringUtil.java,

// check for "<", ">"
if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {

Some things i found are :

1) Same condition is checked on both sides of OR.(I hope second condition should be a check for ">" sign)
2) Now anyone can put Entity Engine XML documents without bothering the syntax of initial tag <entity-engine-xml>, instead he can start with "><entity-engine-xml>".
3) Admin user can put any type of text(other than XML docs) inside the enclosing tags <entity-engine-xml> & can click on import text button.(There should be error message asking to put XML tags)

However i wonder as this condition "if (value.indexOf("<") >= 0 || value.indexOf("<") >= 0) {" will check the initial occurrence of "<" in the given text.But what i found is in StringUtil.java the value object does not contain the text value imported.So the value.indexOf("<") always evaluates to -1. So the input value is not validated upon these symbols.


I will be more than pleasured if you correct me if i am in wrong direction & provide suggestions.



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

This seems more like a discussion than relevant to the closed issue,  
so replying to the dev list:


On Feb 14, 2009, at 1:13 AM, Ashish Nagar (JIRA) wrote:

Yes, good catch! That is fixed in SVN rev 744420.

> 2) Now anyone can put Entity Engine XML documents without bothering  
> the syntax of initial tag <entity-engine-xml>, instead he can start  
> with "><entity-engine-xml>".

Actually, the services now have the allow-html="any" set, so either  
one will pass through fine.

Before that was set neither would pass through because with the ">="  
it will look for the character anywhere in the string (ie the first  
character doesn't matter).

> 3) Admin user can put any type of text(other than XML docs) inside  
> the enclosing tags <entity-engine-xml> & can click on import text  
> button.(There should be error message asking to put XML tags)

I'm not sure what you mean by this, could you elaborate... perhaps  
with some examples?

> However i wonder as this condition "if (value.indexOf("<") >= 0 ||  
> value.indexOf("<") >= 0) {" will check the initial occurrence of "<"  
> in the given text.But what i found is in StringUtil.java the value  
> object does not contain the text value imported.So the  
> value.indexOf("<") always evaluates to -1. So the input value is not  
> validated upon these symbols.

Maybe you should look closer, it sounds like you might have been  
looking at it processing a different String than the one you thought  
it was.

-David

Thanks David for your reply.Please see my comments inline:

David E Jones wrote: /Thanks David./ /Thanks , but i suppose there should be more strictness towards the
syntaxes to be followed./
>> 3) Admin user can put any type of text(other than XML docs) inside
>> the enclosing tags <entity-engine-xml> & can click on import text
>> button.(There should be error message asking to put XML tags)
>
> I'm not sure what you mean by this, could you elaborate... perhaps
> with some examples?
/Like if i put <Party partyId="admin" partyTypeId="PERSON"/>
(syntactically correct) inside the enclosing entity-engine tags will be
fine.But if i put any other text like "a,b,c,d....Blah blah" inside
these tags should not be admitted.I think its too because of the reason
you explained in point 2.But this should be again validated against
syntaxes./ /I think the text that is passed while importing the XML-text is not
getting set inside the "value" object in StringUtil class.So there is no
chance to validate this data imported.I tried to get the value of
"/value.indexOf("<")/" & found it to be equal to -1 always,for whatever
the tags are passed./
>
> -David
>
>
-Ashish Nagar