[ofbiz-plugins] branch release17.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] branch release17.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 483dba4  Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)
483dba4 is described below

commit 483dba49a0f5bbe7456c1ed9002cb10e2794a2cd
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Thu Feb 13 06:50:51 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in ecommerce controller
    for security reason
    (OFBIZ-11348)
   
    A vulnerability has been reported to the OFBiz security team. We were able to
    quickly and quietly fix it in supported versions, but in the ecommerce component.
    To be able to release the 17.12.01 version with this vulnerability fixed we need
    to temporarily comment out the "stream" request-map in ecommerce controller.
    We will later fix the specific issue in ecommerce to put back the functionnalities
    allowed by the "stream" request-map in ecommerce controller.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index b193392..3afb377 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1833,13 +1833,18 @@ under the License.
         <response name="success" type="view-last" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>
-    <request-map uri="stream">
+
+<!--  A vulnerability has been reported to the OFBiz security team. We were able to quickly and quietly fix it in supported versions,
+      but in the ecommerce component. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
+      comment out the "stream" request-map in ecommerce controller. We will later fix the specific issue in ecommerce to put back the
+      functionnalities allowed by the "stream" request-map in ecommerce controller.  See OFBIZ-11348 -->
+<!--     <request-map uri="stream">
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
-
+ -->
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" save-current-view="true"/>