This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/trunk by this push:
new 72d1995 Fixed: Temporarily comment out the "stream" request-map in
commonext controller for security reason (OFBIZ-11353)
72d1995 is described below
commit 72d1995d39ec43c7f65b934c0b1d469caf518679
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Feb 19 09:34:50 2020 +0100
Fixed: Temporarily comment out the "stream" request-map in commonext
controller
for security reason
(OFBIZ-11353)
A vulnerability has been reported to the OFBiz security team. To be able to
release the 17.12.01 version with this vulnerability fixed we need to
require
(maybe only temporarily) the "stream" request-map in commonext controller
to need authentication.
We will later check that this has no impact and if necessary remove the
mandatory authentication, see OFBIZ-11349
---
applications/commonext/webapp/WEB-INF/controller.xml | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/applications/commonext/webapp/WEB-INF/controller.xml
b/applications/commonext/webapp/WEB-INF/controller.xml
index 207581f..5c4cf7d 100644
--- a/applications/commonext/webapp/WEB-INF/controller.xml
+++ b/applications/commonext/webapp/WEB-INF/controller.xml
@@ -42,16 +42,19 @@ under the License.
<response name="success" type="view-last"/>
</request-map>
-<!-- A vulnerability has been reported to the OFBiz security team.
- To be able to release the 17.12.01 version with this vulnerability fixed
we need to temporarily
- comment out the "stream" request-map in this controller. We will later
fix the specific issue to put back the
- functionalities allowed by the "stream" request-map in this controller,
see OFBIZ-11353
- This will be later be put back with OFBIZ-11349 -->
-<!-- <request-map uri="stream">
+<!-- A vulnerability has been reported to the OFBiz security team. To be able
to
+release the 17.12.01 version with this vulnerability fixed we need to require
+(maybe only temporarily) the "stream" request-map in commonext controller
+to need authentication.
+We will later check that this has no impact and if necessary remove the
+mandatory authentication, see OFBIZ-11349
+ -->
+<request-map uri="stream">
+ <security https="true" auth="true"/>
<event type="java" path="org.apache.ofbiz.content.data.DataEvents"
invoke="serveObjectData"/>
<response name="success" type="none"/>
<response name="error" type="view" value="error"/>
<response name="io-error" type="none"/>
- </request-map> -->
+ </request-map>
</site-conf>
