[ofbiz-framework] branch release18.12 updated (42571fb -> 8bdf4d4)
Locked
[ofbiz-framework] branch release18.12 updated (42571fb -> 8bdf4d4)
 
|
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a change to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from 42571fb Fixed: Post-auth XSS vulnerability at catalog/control/EditProductPromo (OFBIZ-12096) new 4e400fb Fixed: Make ruleName field in PriceForms.xml#AddPriceRules safe (OFBIZ-12098) new 8bdf4d4 Fixed: Make ruleName field in PriceForms.xml#AddPriceRules safe (OFBIZ-12098) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../product/servicedef/services_pricepromo.xml | 55 +++++++++++----------- 1 file changed, 28 insertions(+), 27 deletions(-) |
[ofbiz-framework] 01/02: Fixed: Make ruleName field in PriceForms.xml#AddPriceRules safe (OFBIZ-12098)
|
|
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 4e400fb47a0ddaf271cc8c97a05ad77fbf7e0c34 Author: Jacques Le Roux <[hidden email]> AuthorDate: Sun Dec 20 11:02:27 2020 +0100 Fixed: Make ruleName field in PriceForms.xml#AddPriceRules safe (OFBIZ-12098) I noticed an issue due to entity-auto. Unlike with a standard service you can't protect fields using allow-html="safe" except by overriding fields. So in case this must be done one by one... An example is ruleName field in PriceForms.xml#AddPriceRules with createProductPriceRule and updateProductPriceRule services This fixes this only case... Also removes trailing blanks and only that (by IDE setting) --- .../product/servicedef/services_pricepromo.xml | 54 +++++++++++----------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/applications/product/servicedef/services_pricepromo.xml b/applications/product/servicedef/services_pricepromo.xml index 86bbdb8..44af235 100644 --- a/applications/product/servicedef/services_pricepromo.xml +++ b/applications/product/servicedef/services_pricepromo.xml @@ -72,7 +72,7 @@ under the License. <permission-service service-name="productPriceGenericPermission" main-action="CREATE"/> <auto-attributes include="pk" mode="OUT" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> - <override name="ruleName" optional="false"/> + <override name="ruleName" optional="false" allow-html="safe"/> </service> <service name="updateProductPriceRule" default-entity-name="ProductPriceRule" engine="entity-auto" invoke="update" auth="true"> <description>Update a ProductPriceRule</description> @@ -386,62 +386,62 @@ under the License. <service name="productPromoCondProductTotal" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productTotal"> <description>Product promo condition service on the product Total</description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondProductQuant" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productQuant"> <description>Product promo condition service on quantity </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondNewACCT" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productNewACCT"> <description>Product promo condition service on Account Days Since Created </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondPartyID" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productPartyID"> <description>Product promo condition service on party ID </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondPartyGM" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productPartyGM"> <description>Product promo condition service on party group member </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondPartyClass" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productPartyClass"> <description>Product promo condition service on party Classification </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondRoleType" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productRoleType"> <description>Product promo condition service on role type </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondGeoID" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productGeoID"> <description>Product promo condition service on shipping destination </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondOrderTotal" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productOrderTotal"> <description>Product promo condition service on cart sub-total </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondOrderHist" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productOrderHist"> <description>Product promo condition service on Order sub-total X in last Y Months </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondOrderYear" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productOrderYear"> <description>Product promo condition service on Order sub-total X since beginning of current year </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondOrderLastYear" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productOrderLastYear"> <description>Product promo condition service on Order sub-total X last year </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondPromoRecurrence" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productPromoRecurrence"> @@ -451,17 +451,17 @@ under the License. <service name="productPromoCondOrderShipTotal" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productShipTotal"> <description>Product promo condition service on promotion recurrence </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondListPriceMinAmount" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productListPriceMinAmount"> <description>Product promo condition service on shipping total </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <service name="productPromoCondListPriceMinPercent" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoCondServices.groovy" invoke="productListPriceMinPercent"> <description>Product promo condition service on shipping total </description> - <implements service="interfaceProductPromoCond"/> + <implements service="interfaceProductPromoCond"/> </service> <!-- ProductPricePromoAction services --> @@ -475,51 +475,51 @@ under the License. <service name="productPromoActGiftGWP" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productGWP"> <description>Product promo Action gift with purchase </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActFreeShip" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productActFreeShip"> <description>Product promo Action free shipping </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActProdDISC" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productDISC"> <description>Product promo Action product discount % </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActProdAMDISC" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productAMDISC"> <description>Product promo Action product discount </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActProdPrice" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productPrice"> <description>Product promo Action product price </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActOrderPercent" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productOrderPercent"> <description>Product promo Action order percent </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActOrderAmount" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productOrderAmount"> <description>Product promo Action order amount </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActProdSpecialPrice" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productSpecialPrice"> <description>Product promo Action product special price </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActTaxPercent" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productTaxPercent"> <description>Product promo Action product tax percent </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> <service name="productPromoActShipCharge" engine="groovy" auth="false" location="component://product/groovyScripts/product/promo/ProductPromoActionServices.groovy" invoke="productShipCharge"> <description>Product promo Action product shipping charge </description> - <implements service="interfaceProductPromoAction"/> + <implements service="interfaceProductPromoAction"/> </service> -</services> +</services> |
[ofbiz-framework] 02/02: Fixed: Make ruleName field in PriceForms.xml#AddPriceRules safe (OFBIZ-12098)
|
|
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 8bdf4d447e701fa99b7e4d503a32e4dc321f2eaa Author: Jacques Le Roux <[hidden email]> AuthorDate: Sun Dec 20 11:02:27 2020 +0100 Fixed: Make ruleName field in PriceForms.xml#AddPriceRules safe (OFBIZ-12098) I noticed an issue due to entity-auto. Unlike with a standard service you can't protect fields using allow-html="safe" except by overriding fields. So in case this must be done one by one... An example is ruleName field in PriceForms.xml#AddPriceRules with createProductPriceRule and updateProductPriceRule services This fixes this only case... Also removes trailing blanks and only that (by IDE setting) --- applications/product/servicedef/services_pricepromo.xml | 1 + 1 file changed, 1 insertion(+) diff --git a/applications/product/servicedef/services_pricepromo.xml b/applications/product/servicedef/services_pricepromo.xml index 44af235..43916eb 100644 --- a/applications/product/servicedef/services_pricepromo.xml +++ b/applications/product/servicedef/services_pricepromo.xml @@ -79,6 +79,7 @@ under the License. <permission-service service-name="productPriceGenericPermission" main-action="UPDATE"/> <auto-attributes include="pk" mode="IN" optional="false"/> <auto-attributes include="nonpk" mode="IN" optional="true"/> + <override name="ruleName" optional="false" allow-html="safe"/> </service> <service name="deleteProductPriceRule" default-entity-name="ProductPriceRule" engine="entity-auto" invoke="delete" auth="true"> <description>Delete a ProductPriceRule</description> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |