[ofbiz-plugins] branch release17.12 updated: Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

[jleroux]

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release17.12 by this push:
     new 483dba4  Fixed: Temporarily comment out the "stream" request-map in 
ecommerce controller for security reason (OFBIZ-11348)
483dba4 is described below

commit 483dba49a0f5bbe7456c1ed9002cb10e2794a2cd
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Thu Feb 13 06:50:51 2020 +0100

    Fixed: Temporarily comment out the "stream" request-map in ecommerce 
controller
    for security reason
    (OFBIZ-11348)
    
    A vulnerability has been reported to the OFBiz security team. We were able 
to
    quickly and quietly fix it in supported versions, but in the ecommerce 
component.
    To be able to release the 17.12.01 version with this vulnerability fixed we 
need
    to temporarily comment out the "stream" request-map in ecommerce controller.
    We will later fix the specific issue in ecommerce to put back the 
functionnalities
    allowed by the "stream" request-map in ecommerce controller.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml 
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index b193392..3afb377 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1833,13 +1833,18 @@ under the License.
         <response name="success" type="view-last" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>
-    <request-map uri="stream">
+
+<!--  A vulnerability has been reported to the OFBiz security team. We were 
able to quickly and quietly fix it in supported versions, 
+      but in the ecommerce component. To be able to release the 17.12.01 
version with this vulnerability fixed we need to temporarily
+      comment out the "stream" request-map in ecommerce controller. We will 
later fix the specific issue in ecommerce to put back the 
+      functionnalities allowed by the "stream" request-map in ecommerce 
controller.  See OFBIZ-11348 -->
+<!--     <request-map uri="stream">
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" 
invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
-
+ -->
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" 
save-current-view="true"/>