[ofbiz-plugins] branch trunk updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[ofbiz-plugins] branch trunk updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

jleroux@apache.org
This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 57de034  Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)
57de034 is described below

commit 57de034e1c14fc162a1136a0d1484aa69eadb613
Author: Jacques Le Roux <[hidden email]>
AuthorDate: Thu Feb 13 06:50:51 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in ecommerce controller
    for security reason
    (OFBIZ-11348)
   
    A vulnerability has been reported to the OFBiz security team. We were able to
    quickly and quietly fix it in supported versions, but in the ecommerce component.
    To be able to release the 17.12.01 version with this vulnerability fixed we need
    to temporarily comment out the "stream" request-map in ecommerce controller.
    We will later fix the specific issue in ecommerce to put back the functionnalities
    allowed by the "stream" request-map in ecommerce controller.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 9760a05..6dc8706 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1820,13 +1820,18 @@ under the License.
         <response name="success" type="view-last" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>
-    <request-map uri="stream">
+
+<!--  A vulnerability has been reported to the OFBiz security team. We were able to quickly and quietly fix it in supported versions,
+      but in the ecommerce component. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily
+      comment out the "stream" request-map in ecommerce controller. We will later fix the specific issue in ecommerce to put back the
+      functionnalities allowed by the "stream" request-map in ecommerce controller.  See OFBIZ-11348 -->
+<!--     <request-map uri="stream">
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
-
+ -->
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" save-current-view="true"/>