[ofbiz-framework] branch release18.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new b874a11  Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)
b874a11 is described below

commit b874a11103e686c6adce6a696862e21da11a21bd
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Fri Feb 14 10:18:00 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in ecommerce controller
    for security reason
    (OFBIZ-11353)
   
    A vulnerability has been reported to the OFBiz security team. To be able to
    release the 17.12.01 version with this vulnerability fixed we need to
    temporarily comment out the "stream" request-map in commonext controller.
    We will later fix the specific issue to put back the functionalities allowed by
    the "stream" request-map in this controller, see OFBIZ-11349
---
 applications/commonext/webapp/WEB-INF/controller.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/applications/commonext/webapp/WEB-INF/controller.xml b/applications/commonext/webapp/WEB-INF/controller.xml
index 82e1e22..207581f 100644
--- a/applications/commonext/webapp/WEB-INF/controller.xml
+++ b/applications/commonext/webapp/WEB-INF/controller.xml
@@ -42,11 +42,16 @@ under the License.
         <response name="success" type="view-last"/>
     </request-map>
     
-    <request-map uri="stream">
+<!--  A vulnerability has been reported to the OFBiz security team.
+      To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
+      comment out the "stream" request-map in this controller. We will later fix the specific issue to put back the
+      functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11353
+      This will be later be put back with OFBIZ-11349 -->
+<!--     <request-map uri="stream">
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
-    </request-map>
+    </request-map> -->
     
 </site-conf>