[ofbiz-plugins] branch trunk updated: Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
Locked
[ofbiz-plugins] branch trunk updated: Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
 
|
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git The following commit(s) were added to refs/heads/trunk by this push: new a343812 Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212) a343812 is described below commit a3438121d8f50545b3a5c397c589fe97ca33202b Author: Jacques Le Roux <[hidden email]> AuthorDate: Mon Mar 29 13:13:55 2021 +0200 Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212) The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past. Of cause it must be clearly documented how to use them if needed. Here is the email content: After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. [1] OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " I just put a small comment in webtools and scrumm controllers, it should be enough. The tests pass --- ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 4 ++-- scrum/servicedef/services.xml | 11 ++++++----- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml index e13af94..200f829 100644 --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml @@ -26,7 +26,7 @@ under the License. <handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/> <handler name="groovy" type="request" class="org.apache.ofbiz.webapp.event.GroovyEventHandler"/> - <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> + <!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> --> <handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/> <handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/> <handler name="simple" type="request" class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/> @@ -136,7 +136,7 @@ under the License. <request-map uri="setSessionLocale"> <security https="false" auth="false"/> <event type="java" path="org.apache.ofbiz.common.CommonEvents" invoke="setSessionLocale"/> - <response name="success" type="request-redirect" value="fromSetSessionLocale"/> + <response name="success" type="request-redirect" value="fromSetSessionLocale"/> <response name="error" type="view" value="main"/> </request-map> diff --git a/scrum/servicedef/services.xml b/scrum/servicedef/services.xml index b3d205f..f732fea 100644 --- a/scrum/servicedef/services.xml +++ b/scrum/servicedef/services.xml @@ -221,14 +221,14 @@ under the License. <service name="checkSprintStatus" engine="simple" auth="true" location="component://scrum/minilang/ScrumServices.xml" invoke="checkSprintStatus"> </service> - <service name="checkScrumPlanHour" engine="simple" auth="true" + <service name="checkScrumPlanHour" engine="simple" auth="true" location="component://scrum/minilang/ScrumServices.xml" invoke="checkScrumPlanHour"> <attribute name="workEffortId" type="String" mode="IN" optional="true"/> <attribute name="custRequestId" type="String" mode="IN" optional="true"/> <attribute name="planHours" type="Double" mode="IN" optional="true"/> <attribute name="allow" type="Boolean" mode="OUT" optional="false"/> </service> - <service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true" + <service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true" location="component://scrum/minilang/ScrumServices.xml" invoke="reOrderProductBacklogItemSequenceNumber"> <attribute name="productId" type="String" mode="IN" optional="false"/> </service> @@ -245,10 +245,11 @@ under the License. <attribute name="custRequestStatusId" mode="IN" type="String" optional="true"/> <attribute name="webSiteId" mode="IN" type="String" optional="true"/><!-- for notification services --> </service> - <service name="updateScrumRevision" engine="soap" export="true" + <!-- The service below has been commented out for security reason, see OFBIZ-12212 --> + <!-- <service name="updateScrumRevision" engine="soap" export="true" location="http://www.example.com/webtools/control/SOAPService" invoke="updateScrumRevisionChange"> <implements service="updateScrumRevisionChange"/> - </service> + </service> --> <service name="updateScrumRevisionChange" engine="simple" export="true" validate="false" require-new-transaction="true" location="component://scrum/minilang/ScrumServices.xml" invoke="updateScrumRevisionChange"> <description>Update Scrum Revision Change</description> @@ -281,7 +282,7 @@ under the License. <service name="linkToProduct" engine="java" auth="true" location="org.apache.ofbiz.scrum.ScrumServices" invoke="linkToProduct"> - <description>check when a comunication event is created if the subject contains the PD# string, if so + <description>check when a comunication event is created if the subject contains the PD# string, if so try to find the customer request and link it to the communication event.. </description> <attribute name="communicationEventId" type="String" mode="IN" optional="false"/> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |