[ofbiz-framework] branch release18.12 updated: Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Wed, 19 Feb 2020 04:50:55 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release18.12 by this push:
     new 44edd19  Fixed: The "stream" request-map in ecommerce and commonext 
controllers requires authentication (OFBIZ-11349)
44edd19 is described below

commit 44edd194ee6be4fcbacb8ae9afc1cf2d81d45ea1
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Feb 19 13:48:23 2020 +0100

    Fixed: The "stream" request-map in ecommerce and commonext controllers
    requires authentication
    (OFBIZ-11349)
    
    Thanks: Michael for reporting a possible issue when only commenting the 
"stream"
    request-map in commonext controller. And Jacopo to suggest to require
    authentication (after suggesting to comment out)
    
    It should be also noted that when the CSRF defense implementation will be in
    place, all XSS vulnerabilities w/o authentication will not longer be 
possible.
    Because then all requests shall contains a CSRF token.
---
 applications/commonext/webapp/WEB-INF/controller.xml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/applications/commonext/webapp/WEB-INF/controller.xml 
b/applications/commonext/webapp/WEB-INF/controller.xml
index 5c4cf7d..b6cf797 100644
--- a/applications/commonext/webapp/WEB-INF/controller.xml
+++ b/applications/commonext/webapp/WEB-INF/controller.xml
@@ -42,13 +42,6 @@ under the License.
         <response name="success" type="view-last"/>
     </request-map>
     
-<!-- A vulnerability has been reported to the OFBiz security team. To be able 
to
-release the 17.12.01 version with this vulnerability fixed we need to require 
-(maybe only temporarily) the "stream" request-map in commonext controller 
-to need authentication.
-We will later check that this has no impact and if necessary remove the 
-mandatory authentication, see OFBIZ-11349
- -->    
 <request-map uri="stream">
     <security https="true" auth="true"/>
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" 
invoke="serveObjectData"/>

Reply via email to