[ofbiz-plugins] branch release18.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] branch release18.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new bd600a3  Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)
bd600a3 is described below

commit bd600a3dd48c80202cc6d5e9f1a40c7e72a6f8f9
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Thu Feb 13 06:50:51 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in ecommerce controller
    for security reason
    (OFBIZ-11348)
   
    A vulnerability has been reported to the OFBiz security team. We were able to
    quickly and quietly fix it in supported versions, but in the ecommerce component.
    To be able to release the 17.12.01 version with this vulnerability fixed we need
    to temporarily comment out the "stream" request-map in ecommerce controller.
    We will later fix the specific issue in ecommerce to put back the functionnalities
    allowed by the "stream" request-map in ecommerce controller.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index ae2552b..4a00dce 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1820,13 +1820,18 @@ under the License.
         <response name="success" type="view-last" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>
-    <request-map uri="stream">
+
+<!--  A vulnerability has been reported to the OFBiz security team. We were able to quickly and quietly fix it in supported versions,
+      but in the ecommerce component. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
+      comment out the "stream" request-map in ecommerce controller. We will later fix the specific issue in ecommerce to put back the
+      functionnalities allowed by the "stream" request-map in ecommerce controller.  See OFBIZ-11348 -->
+<!--     <request-map uri="stream">
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
-
+ -->
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" save-current-view="true"/>