[ofbiz-framework] branch trunk updated (e111f19 -> 0176270)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] branch trunk updated (e111f19 -> 0176270)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git.


    from e111f19  Improved: Convert InventoryTests.xml to Groovy (OFBIZ-11851)
     new c5cb927  Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)
     new 0176270  Improved: Adds information to install without the demo data

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 INSTALL                            | 10 ++++++++++
 framework/webapp/dtd/site-conf.xsd |  8 ++++++++
 2 files changed, 18 insertions(+)

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 01/02: Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit c5cb927124528c06e80fcb8096ab954684436f7e
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Tue Jul 7 19:02:15 2020 +0200

    Documented: POC for CSRF Token (CVE-2019-0235) (OFBIZ-11306)
   
    Clarifies the behaviour of csrf-token
   
    Thanks: James Yong
---
 framework/webapp/dtd/site-conf.xsd | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/framework/webapp/dtd/site-conf.xsd b/framework/webapp/dtd/site-conf.xsd
index 01d0046..44d98a5 100644
--- a/framework/webapp/dtd/site-conf.xsd
+++ b/framework/webapp/dtd/site-conf.xsd
@@ -309,6 +309,14 @@ under the License.
             <xs:annotation>
                 <xs:documentation>
                     If true csrf token is expected. If false no csrf token check. Default to "".
+                    
+                    When csrf-token is empty or not set, the behaviour should be determined by
+                    CsrfDefenseStrategy class (or another implementation of ICsrfDefenseStrategy).
+                    
+                    When csrf-token is explicitly set to either true or false,
+                    CsrfDefenseStrategy class (or another implementation of ICsrfDefenseStrategy)
+                    should follow the setting.
+                    So if true, csrf token is expected. If false, no csrf token check.
                 </xs:documentation>
             </xs:annotation>
             <xs:simpleType>

Reply | Threaded
Open this post in threaded view
|

[ofbiz-framework] 02/02: Improved: Adds information to install without the demo data

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 0176270d88d2f30039a0bf11316c659d0805f89d
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Jul 8 10:21:24 2020 +0200

    Improved: Adds information to install without the demo data
---
 INSTALL | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/INSTALL b/INSTALL
index 6327120..4670969 100644
--- a/INSTALL
+++ b/INSTALL
@@ -36,6 +36,16 @@ _______________________________________________________________________________
 MS Windows: gradlew cleanAll loadAll
 Unix-like OS: ./gradlew cleanAll loadAll
 
+=====Note:
+As the later step, to install without the demo data follow:
+(beware this is for development or production, not trying)
+
+Windows: gradlew cleanAll "ofbiz --load-data readers=seed,seed-initial" loadAdminUserLogin -PuserLoginId=admin
+Unix-like OS: ./gradlew cleanAll "ofbiz --load-data readers=seed,seed-initial" loadAdminUserLogin -PuserLoginId=admin
+
+The OFBiz install will be empty, there will be no chart of accounts, no transactions, no products, no customers and no suppliers.
+You can't log to the E-Commerce Store. You will get: "A Product Store has not been defined for this ecommerce site. A Product Store can be created using the ofbizsetup wizard."
+
 === Start OFBiz:
 
 MS Windows: gradlew ofbiz