This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository
https://gitbox.apache.org/repos/asf/ofbiz-framework.gitThe following commit(s) were added to refs/heads/trunk by this push:
new 9db0d8f Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)
9db0d8f is described below
commit 9db0d8f2fb2846bf218c55fb6e1e02a8730789bb
Author: Jacques Le Roux <
[hidden email]>
AuthorDate: Fri Feb 14 10:18:00 2020 +0100
Fixed: Temporarily comment out the "stream" request-map in ecommerce controller
for security reason
(OFBIZ-11353)
A vulnerability has been reported to the OFBiz security team. To be able to
release the 17.12.01 version with this vulnerability fixed we need to
temporarily comment out the "stream" request-map in commonext controller.
We will later fix the specific issue to put back the functionalities allowed by
the "stream" request-map in this controller, see OFBIZ-11349
---
applications/commonext/webapp/WEB-INF/controller.xml | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/applications/commonext/webapp/WEB-INF/controller.xml b/applications/commonext/webapp/WEB-INF/controller.xml
index 82e1e22..207581f 100644
--- a/applications/commonext/webapp/WEB-INF/controller.xml
+++ b/applications/commonext/webapp/WEB-INF/controller.xml
@@ -42,11 +42,16 @@ under the License.
<response name="success" type="view-last"/>
</request-map>
- <request-map uri="stream">
+<!-- A vulnerability has been reported to the OFBiz security team.
+ To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
+ comment out the "stream" request-map in this controller. We will later fix the specific issue to put back the
+ functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11353
+ This will be later be put back with OFBIZ-11349 -->
+<!-- <request-map uri="stream">
<event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
<response name="success" type="none"/>
<response name="error" type="view" value="error"/>
<response name="io-error" type="none"/>
- </request-map>
+ </request-map> -->
</site-conf>