[ofbiz-framework] branch release18.12 updated: Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated: Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new fea0078  Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)
fea0078 is described below

commit fea0078fc30327be42f1a82982c07ae2da7f8357
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Feb 19 09:34:50 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in commonext controller
    for security reason
    (OFBIZ-11353)
   
    A vulnerability has been reported to the OFBiz security team. To be able to
    release the 17.12.01 version with this vulnerability fixed we need to require
    (maybe only temporarily) the "stream" request-map in commonext controller
    to need authentication.
   
    We will later check that this has no impact and if necessary remove the
    mandatory authentication, see OFBIZ-11349
---
 applications/commonext/webapp/WEB-INF/controller.xml | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/applications/commonext/webapp/WEB-INF/controller.xml b/applications/commonext/webapp/WEB-INF/controller.xml
index 207581f..5c4cf7d 100644
--- a/applications/commonext/webapp/WEB-INF/controller.xml
+++ b/applications/commonext/webapp/WEB-INF/controller.xml
@@ -42,16 +42,19 @@ under the License.
         <response name="success" type="view-last"/>
     </request-map>
     
-<!--  A vulnerability has been reported to the OFBiz security team.
-      To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
-      comment out the "stream" request-map in this controller. We will later fix the specific issue to put back the
-      functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11353
-      This will be later be put back with OFBIZ-11349 -->
-<!--     <request-map uri="stream">
+<!-- A vulnerability has been reported to the OFBiz security team. To be able to
+release the 17.12.01 version with this vulnerability fixed we need to require
+(maybe only temporarily) the "stream" request-map in commonext controller
+to need authentication.
+We will later check that this has no impact and if necessary remove the
+mandatory authentication, see OFBIZ-11349
+ -->    
+<request-map uri="stream">
+    <security https="true" auth="true"/>
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
-    </request-map> -->
+    </request-map>
     
 </site-conf>