OFBiz OFBiz - Commits

[ofbiz-framework] branch release18.12 updated (c5ba62e -> ecc4e84)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch release18.12 updated (c5ba62e -> ecc4e84)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.


    from c5ba62e  Improved: Adds information to install without the demo data
     new c70fa51  Improved: better message for host-headers-allowed
     new fd3667b  Improved: Put the AsciiDoc files in main repo under the web site (OFBIZ-11879)
     new ecc4e84  Fixed: don't remove localhost from host-headers-allowed this was only for testing

The 3 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 build.gradle                                                   | 10 ++++++++++
 .../java/org/apache/ofbiz/webapp/control/RequestHandler.java   |  6 ++++--
 2 files changed, 14 insertions(+), 2 deletions(-)

jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 01/03: Improved: better message for host-headers-allowed

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit c70fa51ae74abf225a4c006523bc56ec07205d84
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Jul 11 09:30:59 2020 +0200

    Improved: better message for host-headers-allowed
   
    Adds an explanation about what to do when using own domain.
   
    Some users don't look into the log so it's better to set also the exception
    message in order for them to have it right at 1st glance.
   
    Conflicts handled in webapp/control/RequestHandler.java
---
 framework/security/config/security.properties                       | 2 +-
 .../main/java/org/apache/ofbiz/webapp/control/RequestHandler.java   | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index fa64fa5..8992fa1 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -154,7 +154,7 @@ security.token.key=security.token.key
 
 # -- List of domains or IP addresses to be checked to prevent Host Header Injection,
 # -- no spaces after commas,no wildcard, can be extended of course...
-host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+host-headers-allowed=127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
 # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed  
 SameSiteCookieAttribute=
diff --git a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
index 41b5d44..fe5ff7a 100644
--- a/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
+++ b/framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/RequestHandler.java
@@ -240,8 +240,10 @@ public class RequestHandler {
             GenericValue userLogin, Delegator delegator) throws RequestHandlerException, RequestHandlerExceptionAllowExternalRequests {
 
         if (!hostHeadersAllowed.contains(request.getServerName())) {
-            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection ", module);
-            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection ");
+            Debug.logError("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.", MODULE);
+            throw new RequestHandlerException("Domain " + request.getServerName() + " not accepted to prevent host header injection."
+                    + " You need to set host-headers-allowed property in security.properties file.");
         }
                 
         final boolean throwRequestHandlerExceptionOnMissingLocalRequest = EntityUtilProperties.propertyValueEqualsIgnoreCase(

jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 02/03: Improved: Put the AsciiDoc files in main repo under the web site (OFBIZ-11879)

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit fd3667b6f7479a13f2a2ffd04378f53677b7cd3d
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Jul 11 09:45:49 2020 +0200

    Improved: Put the AsciiDoc files in main repo under the web site (OFBIZ-11879)
   
    We have AsciiDoc files in main repo and it would be better to have them also in
    HTML format under the web site: https://ci.apache.org/projects/ofbiz/site
   
    For that a new generateReadmeFiles is needed and new "readme" locations under
    each of https://ci.apache.org/projects/ofbiz/site "sub-dirs".
    We can create those from Buildbot like we did with INFRA-20311
---
 build.gradle | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/build.gradle b/build.gradle
index 03355cf..e2ceeac 100644
--- a/build.gradle
+++ b/build.gradle
@@ -549,6 +549,16 @@ task deleteAllPluginsDocumentation {
 }
 
 
+task generateReadmeFiles(group: docsGroup, type: AsciidoctorTask) {
+    doFirst { delete "${buildDir}/asciidoc/readme" }
+    description 'Generate OFBiz README files'
+    sourceDir "${rootDir}"
+    sources {
+        include 'README.adoc', 'CHANGELOG.adoc', 'CONTRIBUTING.adoc'
+      }    
+    outputDir file("${buildDir}/asciidoc/readme/")
+}
+
 task generateOfbizDocumentation(group: docsGroup, type: AsciidoctorTask) {
     dependsOn deleteOfbizDocumentation
     description 'Generate OFBiz documentation manuals'

jleroux@apache.org
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 03/03: Fixed: don't remove localhost from host-headers-allowed this was only for testing

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit ecc4e84a956d6b87a2a4e064e1f614b78a9df0b7
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Sat Jul 11 09:57:04 2020 +0200

    Fixed: don't remove localhost from host-headers-allowed this was only for testing
---
 framework/security/config/security.properties | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties
index 8992fa1..fa64fa5 100644
--- a/framework/security/config/security.properties
+++ b/framework/security/config/security.properties
@@ -154,7 +154,7 @@ security.token.key=security.token.key
 
 # -- List of domains or IP addresses to be checked to prevent Host Header Injection,
 # -- no spaces after commas,no wildcard, can be extended of course...
-host-headers-allowed=127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
+host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable.ofbiz.apache.org,demo-old.ofbiz.apache.org
 
 # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed  
 SameSiteCookieAttribute=

Free forum by Nabble Edit this page