[ofbiz-plugins] branch trunk updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 57de034  Fixed: Temporarily comment out the "stream" request-map in 
ecommerce controller for security reason (OFBIZ-11348)
57de034 is described below

commit 57de034e1c14fc162a1136a0d1484aa69eadb613
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 13 06:50:51 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in ecommerce 
controller
    for security reason
    (OFBIZ-11348)
    
    A vulnerability has been reported to the OFBiz security team. We were able 
to
    quickly and quietly fix it in supported versions, but in the ecommerce 
component.
    To be able to release the 17.12.01 version with this vulnerability fixed we 
need
    to temporarily comment out the "stream" request-map in ecommerce controller.
    We will later fix the specific issue in ecommerce to put back the 
functionnalities
    allowed by the "stream" request-map in ecommerce controller.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml 
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 9760a05..6dc8706 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1820,13 +1820,18 @@ under the License.
         <response name="success" type="view-last" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>
-    <request-map uri="stream">
+
+<!--  A vulnerability has been reported to the OFBiz security team. We were 
able to quickly and quietly fix it in supported versions, 
+      but in the ecommerce component. To be able to release the 17.12.01 
version with this vulnerability fixed we need to temporarily
+      comment out the "stream" request-map in ecommerce controller. We will 
later fix the specific issue in ecommerce to put back the 
+      functionnalities allowed by the "stream" request-map in ecommerce 
controller.  See OFBIZ-11348 -->
+<!--     <request-map uri="stream">
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" 
invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
-
+ -->
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" 
save-current-view="true"/>