[ofbiz-plugins] 01/02: Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Wed, 19 Feb 2020 05:05:08 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git

commit 17d5c1a1e7740df8cc24aa3502dd10df43b85566
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Feb 19 13:51:12 2020 +0100

    Fixed: The "stream" request-map in ecommerce and commonext controllers
    requires authentication
    (OFBIZ-11349)
    
    Thanks: Michael for reporting a possible issue when only commenting the 
"stream"
    request-map in commonext controller. And Jacopo to suggest to require
    authentication (after suggesting to comment out)
    
    It should be also noted that when the CSRF defense implementation will be in
    place, all XSS vulnerabilities w/o authentication will not longer be 
possible.
    Because then all requests shall contains a CSRF token.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml 
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index c09031e..4d8c94b 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -1834,18 +1834,14 @@ under the License.
         <response name="error" type="view" value="main"/>
     </request-map>
 
-<!--  A vulnerability has been reported to the OFBiz security team. 
-      To be able to release the 17.12.01 version with this vulnerability fixed 
we need to temporarily
-      comment out the "stream" request-map in this controller. We will later 
fix the specific issue to put back the 
-      functionalities allowed by the "stream" request-map in this controller, 
see OFBIZ-11353
-      This will be later be put back with OFBIZ-11349 -->
-<!--     <request-map uri="stream">
+    <request-map uri="stream">
+        <security https="true" auth="true"/>
         <event type="java" path="org.apache.ofbiz.content.data.DataEvents" 
invoke="serveObjectData"/>
         <response name="success" type="none"/>
         <response name="error" type="view" value="error"/>
         <response name="io-error" type="none"/>
     </request-map>
- -->
+
      <request-map uri="showShoppingList">
         <security https="false" auth="false"/>
         <response name="success" type="view" value="showShoppingList" 
save-current-view="true"/>

Reply via email to