This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 643b9c7 Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212) 643b9c7 is described below commit 643b9c7ea7dfc3e9df4b80527bf83d162f3bc39f Author: Jacques Le Roux <[hidden email]> AuthorDate: Mon Mar 29 13:13:53 2021 +0200 Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212) The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past. Of cause it must be clearly documented how to use them if needed. Here is the email content: After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. [1] OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " I just put a small comment in webtools controller, it should be enough. The tests pass --- framework/common/servicedef/services_test.xml | 38 +++++++++++----------- .../webcommon/WEB-INF/handlers-controller.xml | 2 +- framework/service/config/serviceengine.xml | 12 +++---- framework/service/testdef/servicetests.xml | 2 +- .../webapp/webtools/WEB-INF/controller.xml | 5 +-- 5 files changed, 30 insertions(+), 29 deletions(-) diff --git a/framework/common/servicedef/services_test.xml b/framework/common/servicedef/services_test.xml index 2963778..d21e921 100644 --- a/framework/common/servicedef/services_test.xml +++ b/framework/common/servicedef/services_test.xml @@ -71,13 +71,13 @@ under the License. <service name="groupTest" engine="group" location="testGroup" invoke=""/> - <service name="testHttp" engine="http" location="main-http" invoke="testScv"> +<!-- <service name="testHttp" engine="http" location="main-http" invoke="testScv"> <description>HTTP service wrapper around the test service</description> <attribute name="message" type="String" mode="IN" optional="true"/> <attribute name="resp" type="String" mode="OUT"/> - </service> + </service> --> - <service name="testSoap" engine="soap" export="true" location="main-soap" invoke="testSOAPScv"> +<!-- <service name="testSoap" engine="soap" export="true" location="main-soap" invoke="testSOAPScv"> <description>SOAP service; calls the OFBiz test SOAP service</description> <implements service="testSOAPScv"/> </service> @@ -87,12 +87,12 @@ under the License. <implements service="testScv"/> </service> - <!-- test service for local loopback testing (OFBiz Client SOAP -> OFBiz Server SOAP) - https://ofbiz-vm2.apache.org:8443/webtools/control/SOAPService is the ultimate location for the testRemoteSoap + test service for local loopback testing (OFBiz Client SOAP -> OFBiz Server SOAP) + https://ofbiz-vm2.apache.org:8443/webtools/control/SOAPService is the ultimate location for the testRemoteSoap It's redirected from https://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService by the HTTPD frontend installed by Puppet in the demo server, ie ofbiz-vm2.apache.org We could use also http://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService but HSTS would sent it to https anyway - So this can be used only against trunk demo and is not in the tests set to avoid a dependency on Internet --> - <service name="testRemoteSoap" engine="soap" export="true" + So this can be used only against trunk demo and is not in the tests set to avoid a dependency on Internet + <service name="testRemoteSoap" engine="soap" export="true" location="https://demo-trunk.ofbiz.apache.org/webtools/control/SOAPService" invoke="testSoapSimple"> <attribute name="defaultValue" type="Double" mode="IN" default-value="999.9999"/> @@ -100,12 +100,12 @@ under the License. <attribute name="resp" type="String" mode="OUT"/> </service> - <!-- FIXME For now, not sure why, the 4 remote SOAP services below don't work --> + FIXME For now, not sure why, the 4 remote SOAP services below don't work - <!-- the location = endpoint = SOAP action --> - <!-- invoke parameter is the name of the operation to invoke, for example LatLonListZipCode --> - <!-- invoke parameter is needed when there are several possible operations for the SOAP action --> - <!-- FIXME For now, not sure why, this remote SOAP service does not work --> + the location = endpoint = SOAP action + invoke parameter is the name of the operation to invoke, for example LatLonListZipCode + invoke parameter is needed when there are several possible operations for the SOAP action + FIXME For now, not sure why, this remote SOAP service does not work <service name="testRemoteSoap1" engine="soap" export="true" location="http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php" invoke="LatLonListZipCode"> @@ -118,10 +118,10 @@ under the License. <attribute name="result" type="String" mode="OUT"/> </service> - <!-- the location = endpoint = SOAP action --> - <!-- invoke parameter is the name of the operation to invoke, for example LatLonListCityNames --> - <!-- invoke parameter is needed when there are several possible operations for the SOAP action --> - <!-- FIXME For now, not sure why, this remote SOAP service does not work --> + the location = endpoint = SOAP action + invoke parameter is the name of the operation to invoke, for example LatLonListCityNames + invoke parameter is needed when there are several possible operations for the SOAP action + FIXME For now, not sure why, this remote SOAP service does not work <service name="testRemoteSoap2" engine="soap" export="true" location="http://www.weather.gov/forecasts/xml/SOAP_server/ndfdXMLserver.php" invoke="LatLonListCityNames"> @@ -134,7 +134,7 @@ under the License. <attribute name="result" type="String" mode="OUT"/> </service> - <!-- FIXME For now, not sure why, this remote SOAP service does not work --> + FIXME For now, not sure why, this remote SOAP service does not work <service name="testRemoteSoap3" engine="soap" export="true" location="http://www.restfulwebservices.net/wcf/EmailValidationService.svc" invoke="EmailValidationService"> @@ -143,13 +143,13 @@ under the License. <attribute name="result" type="String" mode="OUT"/> </service> - <!-- FIXME For now, not sure why, this remote SOAP service does not work --> + FIXME For now, not sure why, this remote SOAP service does not work <service name="testRemoteSoap4" engine="soap" export="true" location="http://www.webservicex.net/geoipservice.asmx" invoke="GetGeoIPContext"> <attribute name="invoke" type="String" mode="IN" /> <attribute name="result" type="String" mode="OUT"/> - </service> + </service> --> <service name="testGroovy" engine="groovy" location="component://common/groovyScripts/GroovyServiceTest.groovy" invoke=""> <description>Test Groovy Script Service</description> diff --git a/framework/common/webcommon/WEB-INF/handlers-controller.xml b/framework/common/webcommon/WEB-INF/handlers-controller.xml index 1622d10..9e1b9e7 100644 --- a/framework/common/webcommon/WEB-INF/handlers-controller.xml +++ b/framework/common/webcommon/WEB-INF/handlers-controller.xml @@ -24,7 +24,7 @@ under the License. <!-- event handlers --> <handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/> - <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> + <!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> --> <handler name="xmlrpc" type="request" class="org.apache.ofbiz.webapp.event.XmlRpcEventHandler"/> <handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/> <handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/> diff --git a/framework/service/config/serviceengine.xml b/framework/service/config/serviceengine.xml index dcd1a80..96bf1e4 100644 --- a/framework/service/config/serviceengine.xml +++ b/framework/service/config/serviceengine.xml @@ -52,10 +52,10 @@ under the License. <engine name="javascript" class="org.apache.ofbiz.service.engine.ScriptEngine"/> <!-- --> <engine name="route" class="org.apache.ofbiz.service.engine.RouteEngine"/> - <engine name="http" class="org.apache.ofbiz.service.engine.HttpEngine"/> + <!-- <engine name="http" class="org.apache.ofbiz.service.engine.HttpEngine"/> --> <engine name="jms" class="org.apache.ofbiz.service.jms.JmsServiceEngine"/> <engine name="rmi" class="org.apache.ofbiz.service.rmi.RmiServiceEngine"/> - <engine name="soap" class="org.apache.ofbiz.service.engine.SOAPClientEngine"/> + <!-- <engine name="soap" class="org.apache.ofbiz.service.engine.SOAPClientEngine"/> --> <!-- The engine xml-rpc-local is only used by a test service and for this reason it is configured to run on port 8080. In order to use this in OFBiz change the port accordingly (for demo the default value is 8080) --> @@ -66,14 +66,14 @@ under the License. </engine> <service-location name="main-rmi" location="rmi://localhost:1099/RMIDispatcher"/> - <service-location name="main-http" location="http://localhost:8080/webtools/control/httpService"/> - <service-location name="main-soap" location="http://localhost:8080/webtools/control/SOAPService"/> + <!-- <service-location name="main-http" location="http://localhost:8080/webtools/control/httpService"/> + <service-location name="main-soap" location="http://localhost:8080/webtools/control/SOAPService"/> --> <service-location name="entity-sync-rmi" location="rmi://localhost:1099/RMIDispatcher"/> - <service-location name="entity-sync-http" location="https://localhost:8443/webtools/control/httpService"/> + <!-- <service-location name="entity-sync-http" location="https://localhost:8443/webtools/control/httpService"/> --> <service-location name="rita-rmi" location="rmi://localhost:1099/RMIDispatcher"/> - <service-location name="eedcc-test" location="https://localhost:8443/webtools/control/httpService"/> + <!-- <service-location name="eedcc-test" location="https://localhost:8443/webtools/control/httpService"/> --> <!-- default notification group for all services loaded with 'main' loader - uncomment this to enable error notification for all services diff --git a/framework/service/testdef/servicetests.xml b/framework/service/testdef/servicetests.xml index e563a78..54040fc 100644 --- a/framework/service/testdef/servicetests.xml +++ b/framework/service/testdef/servicetests.xml @@ -22,7 +22,7 @@ under the License. xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="http://ofbiz.apache.org/dtds/test-suite.xsd"> <test-case case-name="service-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceEngineTests"/></test-case> - <test-case case-name="service-soap-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceSOAPTests"/></test-case> + <!-- <test-case case-name="service-soap-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceSOAPTests"/></test-case> --> <test-case case-name="service-entity-auto-tests"><junit-test-suite class-name="org.apache.ofbiz.service.test.ServiceEntityAutoTests"/></test-case> <test-case case-name="load-service-test-data"> diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml b/framework/webtools/webapp/webtools/WEB-INF/controller.xml index 4ded5c7..4d39271 100644 --- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml +++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml @@ -86,7 +86,8 @@ under the License. </request-map> <!-- Begin Utility Requests --> - <request-map uri="httpService"> + <!-- The 2 services below have been commented out for security reason, see OFBIZ-12212 --> + <!-- <request-map uri="httpService"> <event type="java" path="org.apache.ofbiz.service.engine.HttpEngine" invoke="httpEngine"/> <response name="success" type="none"/> <response name="error" type="none"/> @@ -96,7 +97,7 @@ under the License. <event type="soap"/> <response name="error" type="none"/> <response name="success" type="none"/> - </request-map> + </request-map> --> <request-map uri="xmlrpc" track-serverhit="false" track-visit="false"> <security auth="true"/> <event type="xmlrpc"/> |
Free forum by Nabble | Edit this page |