[ofbiz-plugins] branch release18.12 updated (8926d68 -> 6d9314e)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] branch release18.12 updated (8926d68 -> 6d9314e)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a change to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git.


    from 8926d68  Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)
     new 90b2d6c  Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)
     new 6d9314e  Improved: no functional change

The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 birt/src/docs/asciidoc/images/OFBiz-Logo.svg      | 41 +++++++++++++++++++++++
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 10 ++----
 ecommerce/webapp/ecomseo/WEB-INF/controller.xml   |  7 ----
 3 files changed, 44 insertions(+), 14 deletions(-)
 create mode 100644 birt/src/docs/asciidoc/images/OFBiz-Logo.svg

Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] 01/02: Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit 90b2d6c9bff50bf9796ffd6e09fe31bcb51f7c33
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Feb 19 13:51:12 2020 +0100

    Fixed: The "stream" request-map in ecommerce and commonext controllers
    requires authentication
    (OFBIZ-11349)
   
    Thanks: Michael for reporting a possible issue when only commenting the "stream"
    request-map in commonext controller. And Jacopo to suggest to require
    authentication (after suggesting to comment out)
   
    It should be also noted that when the CSRF defense implementation will be in
    place, all XSS vulnerabilities w/o authentication will not longer be possible.
    Because then all requests shall contains a CSRF token.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 130ea4e..40943b9 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1821,18 +1821,14 @@ under the License.
         <response name="error" type="view" value="main"/>
     </request-map>
 
-<!--  A vulnerability has been reported to the OFBiz security team.
-      To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
-      comment out the "stream" request-map in this controller. We will later fix the specific issue to put back the
-      functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11353
-      This will be later be put back with OFBIZ-11349 -->
-<!--     <request-map uri="stream">
+    <request-map uri="stream">
+        <security https="true" auth="true"/>
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
- -->
+
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" save-current-view="true"/>

Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] 02/02: Improved: no functional change

jleroux@apache.org
In reply to this post by jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit 6d9314e8bfb63c5f534f71cd0e9043eda7528c44
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Wed Feb 12 16:26:43 2020 +0100

    Improved: no functional change
   
    This was added for OFBIZ-9198 but was superfluous since the same is already in
    the included ecommerce controller
---
 birt/src/docs/asciidoc/images/OFBiz-Logo.svg    | 41 +++++++++++++++++++++++++
 ecommerce/webapp/ecomseo/WEB-INF/controller.xml |  7 -----
 2 files changed, 41 insertions(+), 7 deletions(-)

diff --git a/birt/src/docs/asciidoc/images/OFBiz-Logo.svg b/birt/src/docs/asciidoc/images/OFBiz-Logo.svg
new file mode 100644
index 0000000..6c9a6af
--- /dev/null
+++ b/birt/src/docs/asciidoc/images/OFBiz-Logo.svg
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+<svg width="1600px" height="750px" viewBox="0 0 1600 750" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <!-- Generator: Sketch 39.1 (31720) - http://www.bohemiancoding.com/sketch -->
+    <title>OFBiz-Logo</title>
+    <desc>Created with Sketch.</desc>
+    <defs>
+        <linearGradient x1="43.0920252%" y1="100%" x2="51.9198469%" y2="0%" id="linearGradient-1">
+            <stop stop-color="#282662" offset="0%"></stop>
+            <stop stop-color="#792B81" offset="25%"></stop>
+            <stop stop-color="#CB2039" offset="50%"></stop>
+            <stop stop-color="#DB4F32" offset="75%"></stop>
+            <stop stop-color="#F69A25" offset="100%"></stop>
+        </linearGradient>
+    </defs>
+    <g id="Page-1" stroke="none" stroke-width="1" fill="none" fill-rule="evenodd">
+        <g id="OFBiz-Logo">
+            <path d="M1254,366.596541 C1254,356.513539 1257.06832,348.893454 1263.20506,343.736057 C1269.3418,338.57866 1278.03,336 1289.26992,336 C1298.70112,336 1305.8713,337.79637 1310.78069,341.389163 C1315.69008,344.981957 1318.14474,350.139277 1318.14474,356.861278 C1318.14474,366.133003 1315.30251,373.637193 1309.61795,379.374073 C1303.93339,385.110953 1295.1483,387.97935 1283.26241,387.97935 C1263.75404,387.97935 1254,380.851818 1254,366.596541 L1254,366.596541 L1254,366.596541 Z [...]
+            <path d="M497.643967,164.64682 C650.145968,122.220991 772.408371,153.533209 780.378034,242.933073 C782.714022,269.174369 774.96919,297.784584 759.071547,326.874947 L834.599576,326.870159 C852.802343,295.102316 863.89684,258.359488 861.527095,229.422426 C852.813704,123.34646 694.945422,90.6127419 498.320856,147.915732 L498.854439,134.726798 C499.367546,121.057066 478.324364,116.837941 451.798072,125.241481 C425.311324,133.70287 403.357666,151.602332 402.792477,165.250853 L402. [...]
+            <path d="M1520.01325,412 C1523.3709,412 1526.64898,412.861489 1529.84758,414.584493 C1533.04618,416.307497 1535.53787,418.772681 1537.32273,421.980119 C1539.10759,425.187557 1540,428.531902 1540,432.013254 C1540,435.459262 1539.12084,438.772681 1537.36249,441.953612 C1535.60414,445.134542 1533.13896,447.604144 1529.96687,449.362492 C1526.79477,451.120839 1523.47693,452 1520.01325,452 C1516.54957,452 1513.23174,451.120839 1510.05964,449.362492 C1506.88755,447.604144 1504.41795 [...]
+            <path d="M887.325646,300.366454 L875.672642,326.731376 L863,326.731376 L909.830511,222.291325 L922.211828,222.291325 L968.896676,326.731376 L955.932709,326.731376 L944.279705,300.366454 L887.325646,300.366454 Z M915.657013,235.910774 L892.423836,288.859112 L939.254347,288.859112 L915.657013,235.910774 Z M1054.58267,231.468066 C1061.6959,237.585924 1065.25246,246.228482 1065.25246,257.396 C1065.25246,268.951954 1061.6959,277.897973 1054.58267,284.234326 C1047.46945,290.570679  [...]
+        </g>
+    </g>
+</svg>
\ No newline at end of file
diff --git a/ecommerce/webapp/ecomseo/WEB-INF/controller.xml b/ecommerce/webapp/ecomseo/WEB-INF/controller.xml
index 1027bba..6d130ac 100644
--- a/ecommerce/webapp/ecomseo/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecomseo/WEB-INF/controller.xml
@@ -28,11 +28,4 @@ under the License.
     
     <handler name="jsp" type="view" class="org.apache.ofbiz.ecommerce.webapp.view.JspViewHandler"/>
     
-    <request-map uri="stream">
-        <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
-        <response name="success" type="none"/>
-        <response name="error" type="none"/>
-        <response name="io-error" type="none"/>
-    </request-map>
-    
 </site-conf>