This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/release18.12 by this push:
new 47b16d4 Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
47b16d4 is described below
commit 47b16d404436f72a484416aba34b5784e36090cd
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Sat Jun 27 10:43:02 2020 +0200
Fixed: IDOR vulnerability in the order processing feature in ecommerce component (OFBIZ-11836)
Fixes a bug when there are no problem viewing the order, my bad
---
applications/order/groovyScripts/order/OrderViewWebSecure.groovy | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
index c5bdd5b..fc1e65c 100644
--- a/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
+++ b/applications/order/groovyScripts/order/OrderViewWebSecure.groovy
@@ -59,9 +59,9 @@ if (orderHeader) {
canViewInternalDetails = false
errMsgList.add("It's not an error : you are not allowed to view this!")
showErrorMsg = "Y"
+ request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
+ context.showErrorMsg = showErrorMsg
}
- request.setAttribute("_ERROR_MESSAGE_LIST_", errMsgList)
- context.showErrorMsg = showErrorMsg
}
context.hasPermission = hasPermission
Locked
