svn commit: r1557465 - in /ofbiz/branches/release11.04: ./ framework/common/src/org/ofbiz
Locked
svn commit: r1557465 - in /ofbiz/branches/release11.04: ./ framework/common/src/org/ofbiz
 
|
Author: jleroux
Date: Sat Jan 11 20:36:39 2014 New Revision: 1557465 URL: http://svn.apache.org/r1557465 Log: "Applied fix from trunk for revision: 1557462 " (2 conflicts handled by hand) ------------------------------------------------------------------------ r1557462 | jleroux | 2014-01-11 21:26:30 +0100 (sam. 11 janv. 2014) | 4 lignes A modified patch from Gareth Carter for "JSON Response does not set http status on error" https://issues.apache.org/jira/browse/OFBIZ-5409 This is rather a defensive patch which secure json response on services calls. It might need some changes in custom code if (not recommended) an Ajax GET response is used... The util.js scrpt is introduced for that, though normally should not be needed... ------------------------------------------------------------------------ Added: ofbiz/branches/release11.04/framework/images/webapp/images/util.js (with props) Modified: ofbiz/branches/release11.04/ (props changed) ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml Propchange: ofbiz/branches/release11.04/ ------------------------------------------------------------------------------ Merged /ofbiz/trunk:r1557462 Modified: ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java?rev=1557465&r1=1557464&r2=1557465&view=diff ============================================================================== --- ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java (original) +++ ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java Sat Jan 11 20:36:39 2014 @@ -68,7 +68,21 @@ public class CommonEvents { public static final String module = CommonEvents.class.getName(); - public static UtilCache<String, Map<String, String>> appletSessions = UtilCache.createUtilCache("AppletSessions", 0, 600000, true); + static final String[] ignoreAttrs = new String[] { // Removed for security reason; _ERROR_MESSAGE_ is kept + "javax.servlet.request.key_size", + "_CONTEXT_ROOT_", + "_FORWARDED_FROM_SERVLET_", + "javax.servlet.request.ssl_session", + "javax.servlet.request.ssl_session_id", + "multiPartMap", + "javax.servlet.request.cipher_suite", + "targetRequestUri", + "_SERVER_ROOT_URL_", + "_CONTROL_PATH_", + "thisRequestUri" + }; + + private static final UtilCache<String, Map<String, String>> appletSessions = UtilCache.createUtilCache("AppletSessions", 0, 600000, true); public static String checkAppletRequest(HttpServletRequest request, HttpServletResponse response) { Delegator delegator = (Delegator) request.getAttribute("delegator"); @@ -266,22 +280,39 @@ public class CommonEvents { public static String jsonResponseFromRequestAttributes(HttpServletRequest request, HttpServletResponse response) { // pull out the service response from the request attribute + Map<String, Object> attrMap = UtilHttp.getJSONAttributeMap(request); + for (String ignoreAttr : ignoreAttrs) { + if (attrMap.containsKey(ignoreAttr)) { + attrMap.remove(ignoreAttr); + } + } + // create a JSON Object for return JSONObject json = JSONObject.fromObject(attrMap); - writeJSONtoResponse(json, response); + writeJSONtoResponse(json, request.getMethod(), response); return "success"; } - private static void writeJSONtoResponse(JSON json, HttpServletResponse response) { + private static void writeJSONtoResponse(JSON json, String httpMethod, HttpServletResponse response) { String jsonStr = json.toString(); if (jsonStr == null) { Debug.logError("JSON Object was empty; fatal error!", module); return; } + // This was added for security reason (OFBIZ-5409), you might need to remove the "//" prefix when handling the JSON response + // Though normally you simply have to access the data you want, so should not be annoyed by the "//" prefix + if ("GET".equalsIgnoreCase(httpMethod)) { + Debug.logWarning("for security reason (OFBIZ-5409) the the '//' prefix was added handling the JSON response. " + + "Normally you simply have to access the data you want, so should not be annoyed by the '//' prefix." + + "You might need to remove it if you use Ajax GET responses (not recommended)." + + "In case, the util.js scrpt is there to help you", module); + jsonStr = "//" + jsonStr; + } + // set the X-JSON content type response.setContentType("application/x-json"); // jsonStr.length is not reliable for unicode characters @@ -338,7 +369,7 @@ public class CommonEvents { } } - writeJSONtoResponse(jsonUiLabel, response); + writeJSONtoResponse(jsonUiLabel, request.getMethod(), response); return "success"; } @@ -378,7 +409,7 @@ public class CommonEvents { } } - writeJSONtoResponse(jsonUiLabel, response); + writeJSONtoResponse(jsonUiLabel, request.getMethod(), response); return "success"; } @@ -439,8 +470,7 @@ public class CommonEvents { int charDim = Math.max(maxAdvance, fontHeight); int halfCharDim = (charDim / 2); - BufferedImage charImage = - new BufferedImage(charDim, charDim, BufferedImage.TYPE_INT_ARGB); + BufferedImage charImage = new BufferedImage(charDim, charDim, BufferedImage.TYPE_INT_ARGB); Graphics2D charGraphics = charImage.createGraphics(); charGraphics.translate(halfCharDim, halfCharDim); double angle = (Math.random() - 0.5) * rotationRange; Modified: ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml?rev=1557465&r1=1557464&r2=1557465&view=diff ============================================================================== --- ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml (original) +++ ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml Sat Jan 11 20:36:39 2014 @@ -185,7 +185,7 @@ under the License. </request-map> <!-- Common json reponse events, chain these after events to send json reponses --> - <!-- Standard json response, uses all compatible request attributes --> + <!-- Standard json response, For security reason (OFBIZ-5409) tries to keep only the initially called service attributes --> <request-map uri="json"> <security direct-request="false"/> <event type="java" path="org.ofbiz.common.CommonEvents" invoke="jsonResponseFromRequestAttributes"/> Modified: ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml?rev=1557465&r1=1557464&r2=1557465&view=diff ============================================================================== --- ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml (original) +++ ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml Sat Jan 11 20:36:39 2014 @@ -165,7 +165,8 @@ under the License. <set field="layoutSettings.javaScripts[]" value="/images/GooglemapMarkers.js" global="true"/> <set field="layoutSettings.javaScripts[]" value="/images/getDependentDropdownValues.js" global="true"/> <set field="layoutSettings.javaScripts[]" value="/images/selectMultipleRelatedValues.js" global="true"/> - + <set field="layoutSettings.javaScripts[]" value="/images/util.js" global="true" /> + <set field="layoutSettings.commonHeaderImageLinkUrl" from-field="layoutSettings.commonHeaderImageLinkUrl" default-value="main" global="true"/> <set field="visualThemeId" from-field="userPreferences.VISUAL_THEME" global="true"/> <service service-name="getVisualThemeResources"> Added: ofbiz/branches/release11.04/framework/images/webapp/images/util.js URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/images/webapp/images/util.js?rev=1557465&view=auto ============================================================================== --- ofbiz/branches/release11.04/framework/images/webapp/images/util.js (added) +++ ofbiz/branches/release11.04/framework/images/webapp/images/util.js Sat Jan 11 20:36:39 2014 @@ -0,0 +1,21 @@ +jQuery.ajaxSetup({ + dataFilter: function(data, type) { + var prefixes = ['//', 'while(true);', 'for(;;);'], + i, + l, + pos; + + if (type != 'json' && type != 'jsonp') { + return data; + } + + for (i = 0, l = prefixes.length; i < l; i++) { + pos = data.indexOf(prefixes[i]); + if (pos === 0) { + return data.substring(prefixes[i].length); + } + } + + return data; + } +}); Propchange: ofbiz/branches/release11.04/framework/images/webapp/images/util.js ------------------------------------------------------------------------------ svn:eol-style = native Propchange: ofbiz/branches/release11.04/framework/images/webapp/images/util.js ------------------------------------------------------------------------------ svn:keywords = Date Rev Author URL Id Propchange: ofbiz/branches/release11.04/framework/images/webapp/images/util.js ------------------------------------------------------------------------------ svn:mime-type = text/plain Modified: ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml?rev=1557465&r1=1557464&r2=1557465&view=diff ============================================================================== --- ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml (original) +++ ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml Sat Jan 11 20:36:39 2014 @@ -162,7 +162,7 @@ under the License. </request-map> <!-- Common json reponse events, chain these after events to send json reponses --> - <!-- Standard json response, uses all compatible request attributes --> + <!-- Standard json response, For security reason (OFBIZ-5409) tries to keep only the initially called service attributes --> <request-map uri="json"> <security direct-request="false"/> <event type="java" path="org.ofbiz.common.CommonEvents" invoke="jsonResponseFromRequestAttributes"/> Modified: ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml?rev=1557465&r1=1557464&r2=1557465&view=diff ============================================================================== --- ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml (original) +++ ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml Sat Jan 11 20:36:39 2014 @@ -96,7 +96,7 @@ <!-- End of Security Mappings --> <!-- Common json reponse events, chain these after events to send json reponses --> - <!-- Standard json response, uses all compatible request attributes --> + <!-- Standard json response, For security reason (OFBIZ-5409) tries to keep only the initially called service attributes --> <request-map uri="json"> <security direct-request="false"/> <event type="java" path="org.ofbiz.common.CommonEvents" invoke="jsonResponseFromRequestAttributes"/> |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |