Clone Tools
  • last updated 25 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: One page checkout is broken because of ordermgr::getAssociatedStateList (OFBIZ-11838)

On orderview screen at the ordermgr, when a user tries to change the status of

the order, in OrderInfo.ftl, we are calling "changeOrderStatus" request as

<@ofbizUrl>changeOrderStatus/orderview</@ofbizUrl>

Hence when the request is done, it is rewriting URL to

https://localhost:8443/ordermgr/control/changeOrderStatus/orderview.

When js functions running in the backend like "getAssociatedStateList" are

called, they are getting the wrong URL to send a request to. This was causing

the issue.

For now, there are two different fixes that can handle both problems which are

mentioned in OFBIZ-2562 and OFBIZ-11838.

1.

To change the request mapping for "changeOrderStatus" and add request-redirect

to "orderview" screen. Change the actions in the forms in OrderInfo.ftl to

call "changeOrderStatus" request only and then remove code in

"getAssociatedStateList" js function to rewrite URL.

2.

To add .length to the existing URL rewrite code written in

"getAssociatedStateList" js function as

if (jQuery('#orderViewed').length) {

requestToSend = "/ordermgr/control/getAssociatedStateList"

}

Thanks: Pritam Kute!

I picked the 2nd solution

    • -1
    • +1
    ./webapp/ordermgr-js/geoAutoCompleter.js
Fixed: One page checkout is broken because of ordermgr::getAssociatedStateList (OFBIZ-11838)

On orderview screen at the ordermgr, when a user tries to change the status of

the order, in OrderInfo.ftl, we are calling "changeOrderStatus" request as

<@ofbizUrl>changeOrderStatus/orderview</@ofbizUrl>

Hence when the request is done, it is rewriting URL to

https://localhost:8443/ordermgr/control/changeOrderStatus/orderview.

When js functions running in the backend like "getAssociatedStateList" are

called, they are getting the wrong URL to send a request to. This was causing

the issue.

For now, there are two different fixes that can handle both problems which are

mentioned in OFBIZ-2562 and OFBIZ-11838.

1.

To change the request mapping for "changeOrderStatus" and add request-redirect

to "orderview" screen. Change the actions in the forms in OrderInfo.ftl to

call "changeOrderStatus" request only and then remove code in

"getAssociatedStateList" js function to rewrite URL.

2.

To add .length to the existing URL rewrite code written in

"getAssociatedStateList" js function as

if (jQuery('#orderViewed').length) {

requestToSend = "/ordermgr/control/getAssociatedStateList"

}

Thanks: Pritam Kute!

I picked the 2nd solution

    • -1
    • +1
    ./webapp/ordermgr-js/geoAutoCompleter.js
Fixed: One page checkout is broken because of ordermgr::getAssociatedStateList (OFBIZ-11838)

On orderview screen at the ordermgr, when a user tries to change the status of

the order, in OrderInfo.ftl, we are calling "changeOrderStatus" request as

<@ofbizUrl>changeOrderStatus/orderview</@ofbizUrl>

Hence when the request is done, it is rewriting URL to

https://localhost:8443/ordermgr/control/changeOrderStatus/orderview.

When js functions running in the backend like "getAssociatedStateList" are

called, they are getting the wrong URL to send a request to. This was causing

the issue.

For now, there are two different fixes that can handle both problems which are

mentioned in OFBIZ-2562 and OFBIZ-11838.

1.

To change the request mapping for "changeOrderStatus" and add request-redirect

to "orderview" screen. Change the actions in the forms in OrderInfo.ftl to

call "changeOrderStatus" request only and then remove code in

"getAssociatedStateList" js function to rewrite URL.

2.

To add .length to the existing URL rewrite code written in

"getAssociatedStateList" js function as

if (jQuery('#orderViewed').length) {

requestToSend = "/ordermgr/control/getAssociatedStateList"

}

Thanks: Pritam Kute!

I picked the 2nd solution

    • -1
    • +1
    ./webapp/ordermgr-js/geoAutoCompleter.js
Documented: remove old content links for ofbiz-setup, the docs have been migrated to asciidoc (OFBIZ-11587)

Documented: remove docbook migrated to asciidoc, portlet help are now in ofbiz-plugins / MyPortal (OFBIZ-11587)

    • -40
    • +0
    ./data/helpdata/HELP_SystemInfoNotes.xml
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 23 more files in changeset.
Documented: Help link using asciidoc files via generated html (OFBIZ-11693)

Migrate CommonExtHelData.xml to added some <set field="helpAnchor" to

the correct screens

Now in commonext component only asciidoc documents are used, help link

area now link to userDocUri

(ci.apache.org/projects/ofbiz/site/trunk/ofbizdoc as default value in

general.property)

    • -0
    • +2
    ./widget/ofbizsetup/ProfileScreens.xml
Documented: Check all docbook file in each applications-component documents directory (OFBIZ-11587)

remove all files

  1. … 8 more files in changeset.
Documented: remove docbook help files for commonext (OFBIZ-11587)

all files have been migrated to asciidoc format and help link now point

to the html file generated from the asciidoc files

    • -72
    • +0
    ./data/helpdata/HELP_SETUP_editWebSite.xml
    • -66
    • +0
    ./data/helpdata/HELP_SETUP_firstProductCategory.xml
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Documented: revert remove docbook help files for commonext-SETUP (OFBIZ-11420)

Removing Help files in docbook format break the current online help

    • -0
    • +72
    ./data/helpdata/HELP_SETUP_editWebSite.xml
    • -0
    • +66
    ./data/helpdata/HELP_SETUP_firstProductCategory.xml
Documented: revert remove docbook help files for commonext-SETUP (OFBIZ-11420)

Removing Help files in docbook format break the current online help

    • -0
    • +72
    ./data/helpdata/HELP_SETUP_editWebSite.xml
    • -0
    • +66
    ./data/helpdata/HELP_SETUP_firstProductCategory.xml
Documented: All setup help file in docbook format migration to asciidoc format (OFBIZ-11363)

ofbiz-setup.adoc included all setup files and user-documentation.adoc

include ofbiz-setup

    • -72
    • +0
    ./data/helpdata/HELP_SETUP_editWebSite.xml
    • -66
    • +0
    ./data/helpdata/HELP_SETUP_firstProductCategory.xml
    • -0
    • +35
    ./src/docs/asciidoc/_include/HELP_initialsetup.adoc
    • -0
    • +39
    ./src/docs/asciidoc/_include/HELP_setup_editWebSite.adoc
  1. … 5 more files in changeset.
Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to require

(maybe only temporarily) the "stream" request-map in commonext controller

to need authentication.

We will later check that this has no impact and if necessary remove the

mandatory authentication, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to require

(maybe only temporarily) the "stream" request-map in commonext controller

to need authentication.

We will later check that this has no impact and if necessary remove the

mandatory authentication, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to require

(maybe only temporarily) the "stream" request-map in commonext controller

to need authentication.

We will later check that this has no impact and if necessary remove the

mandatory authentication, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to

temporarily comment out the "stream" request-map in commonext controller.

We will later fix the specific issue to put back the functionalities allowed by

the "stream" request-map in this controller, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to

temporarily comment out the "stream" request-map in commonext controller.

We will later fix the specific issue to put back the functionalities allowed by

the "stream" request-map in this controller, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to

temporarily comment out the "stream" request-map in commonext controller.

We will later fix the specific issue to put back the functionalities allowed by

the "stream" request-map in this controller, see OFBIZ-11349

Reverted: "Improved: Use ‘depends-on’ attribute instead of “component-load.xml”" (OFBIZ-11296)

This reverts commit eeabe69813a1d9f42911dec70a912574046ef49b.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 23 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 23 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 23 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 23 more files in changeset.