OFBiz › OFBiz - Commits

svn commit: r1846633 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

adityasharma

svn commit: r1846633 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Author: adityasharma
Date: Thu Nov 15 10:44:00 2018
New Revision: 1846633

URL: http://svn.apache.org/viewvc?rev=1846633&view=rev
Log:
Applied fix from trunk for revision: 1846632
===

Fixed: Missing Security and Cache Headers in CMS Events
(OFBIZ-10597)
Instead of having multiple null checks for viewMap separately for each security header we can have a single combined null check at the top in setResponseBrowserDefaultSecurityHeaders() method.

With increasing security headers these may become expensive.

Modified:
ofbiz/ofbiz-framework/branches/release17.12/ (props changed)
ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java

Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov 15 10:44:00 2018
@@ -10,4 +10,4 @@
/ofbiz/branches/json-integration-refactoring:1634077-1635900
/ofbiz/branches/multitenant20100310:921280-927264
/ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632

Modified: ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java?rev=1846633&r1=1846632&r2=1846633&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java (original)
+++ ofbiz/ofbiz-framework/branches/release17.12/framework/base/src/main/java/org/apache/ofbiz/base/util/UtilHttp.java Thu Nov 15 10:44:00 2018
@@ -986,8 +986,11 @@ public final class UtilHttp {
public static void setResponseBrowserDefaultSecurityHeaders(HttpServletResponse resp, ConfigXMLReader.ViewMap viewMap) {
// See https://cwiki.apache.org/confluence/display/OFBIZ/How+to+Secure+HTTP+Headers for details and how to test
String xFrameOption = null;
+ // HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
+ String strictTransportSecurity = null;
if (viewMap != null) {
xFrameOption = viewMap.xFrameOption;
+ strictTransportSecurity = viewMap.strictTransportSecurity;
}
// Default to sameorigin
if (UtilValidate.isNotEmpty(xFrameOption)) {
@@ -998,12 +1001,6 @@ public final class UtilHttp {
resp.addHeader("x-frame-options", "sameorigin");
}

- // HTTP Strict-Transport-Security (HSTS) enforces secure (HTTP over SSL/TLS) connections to the server.
- String strictTransportSecurity = null;
- if (viewMap != null) {
- strictTransportSecurity = viewMap.strictTransportSecurity;
- }
-
// Default to "max-age=31536000; includeSubDomains" 31536000 secs = 1 year
if (UtilValidate.isNotEmpty(strictTransportSecurity)) {
if (!"none".equals(strictTransportSecurity)) {