[jira] Created: (OFBIZ-2449) Secure targets in widget forms

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[jira] Created: (OFBIZ-2449) Secure targets in widget forms

Nicolas Malin (Jira)
Secure targets in widget forms
------------------------------

                 Key: OFBIZ-2449
                 URL: https://issues.apache.org/jira/browse/OFBIZ-2449
             Project: OFBiz
          Issue Type: Sub-task
          Components: ALL COMPONENTS
    Affects Versions: Release Branch 9.04, SVN trunk
            Reporter: Jacques Le Roux
             Fix For: Release Branch 9.04, SVN trunk


We have also  targets with params in URL in forms, despite it's already using POST action
Look for <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances) and <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances) in *form*.xml.

An easy example to use is ListPhysicalInventory.

So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them.



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Updated: (OFBIZ-2449) Secure targets in widget forms

Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-2449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-2449:
-----------------------------------

    Description:
We have also  targets with params in URL in forms, despite it's already using POST action

In *form*.xml look for
{code}
<<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
<<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
{code}

An easy example to use is ListPhysicalInventory.

So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them.



  was:
We have also  targets with params in URL in forms, despite it's already using POST action
Look for <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances) and <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances) in *form*.xml.

An easy example to use is ListPhysicalInventory.

So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them.




> Secure targets in widget forms
> ------------------------------
>
>                 Key: OFBIZ-2449
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2449
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Release Branch 9.04, SVN trunk
>            Reporter: Jacques Le Roux
>             Fix For: Release Branch 9.04, SVN trunk
>
>
> We have also  targets with params in URL in forms, despite it's already using POST action
> In *form*.xml look for
> {code}
> <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
> <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
> {code}
> An easy example to use is ListPhysicalInventory.
> So we should extend the param-name scheme to forms widget also.
> Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply | Threaded
Open this post in threaded view
|

[jira] Closed: (OFBIZ-2449) Secure targets in widget forms

Nicolas Malin (Jira)
In reply to this post by Nicolas Malin (Jira)

     [ https://issues.apache.org/jira/browse/OFBIZ-2449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-2449.
----------------------------------

         Assignee: Jacques Le Roux
    Fix Version/s: Release Branch 10.04
                   jQuery
       Resolution: Not A Problem

I checked this is all mutli, upload (which are handled with hidden fields) or events without services called.
I'm happy with that, it was a long standing issue and now I'm pretty sure there are any issues of this type in OFBiz at all

I thing we should also close OFBIZ-1959  but I did not check into details...

> Secure targets in widget forms
> ------------------------------
>
>                 Key: OFBIZ-2449
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2449
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL COMPONENTS
>    Affects Versions: Release Branch 09.04, SVN trunk
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>             Fix For: Release Branch 09.04, Release Branch 10.04, jQuery, SVN trunk
>
>
> We have also  targets with params in URL in forms, despite it's already using POST action
> In *form*.xml look for
> {code}
> <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
> <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
> {code}
> An easy example to use is ListPhysicalInventory.
> So we should extend the param-name scheme to forms widget also.
> Maybe some targets are not calling services and so are not real threats (no changes possible in DB). But we have already chosen to change all hyperlinks in the same case and not to try to filter them.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.