Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: One page checkout is broken because of ordermgr::getAssociatedStateList (OFBIZ-11838)

On orderview screen at the ordermgr, when a user tries to change the status of

the order, in OrderInfo.ftl, we are calling "changeOrderStatus" request as

<@ofbizUrl>changeOrderStatus/orderview</@ofbizUrl>

Hence when the request is done, it is rewriting URL to

https://localhost:8443/ordermgr/control/changeOrderStatus/orderview.

When js functions running in the backend like "getAssociatedStateList" are

called, they are getting the wrong URL to send a request to. This was causing

the issue.

For now, there are two different fixes that can handle both problems which are

mentioned in OFBIZ-2562 and OFBIZ-11838.

1.

To change the request mapping for "changeOrderStatus" and add request-redirect

to "orderview" screen. Change the actions in the forms in OrderInfo.ftl to

call "changeOrderStatus" request only and then remove code in

"getAssociatedStateList" js function to rewrite URL.

2.

To add .length to the existing URL rewrite code written in

"getAssociatedStateList" js function as

if (jQuery('#orderViewed').length) {

requestToSend = "/ordermgr/control/getAssociatedStateList"

}

Thanks: Pritam Kute!

I picked the 2nd solution

Fixed: One page checkout is broken because of ordermgr::getAssociatedStateList (OFBIZ-11838)

On orderview screen at the ordermgr, when a user tries to change the status of

the order, in OrderInfo.ftl, we are calling "changeOrderStatus" request as

<@ofbizUrl>changeOrderStatus/orderview</@ofbizUrl>

Hence when the request is done, it is rewriting URL to

https://localhost:8443/ordermgr/control/changeOrderStatus/orderview.

When js functions running in the backend like "getAssociatedStateList" are

called, they are getting the wrong URL to send a request to. This was causing

the issue.

For now, there are two different fixes that can handle both problems which are

mentioned in OFBIZ-2562 and OFBIZ-11838.

1.

To change the request mapping for "changeOrderStatus" and add request-redirect

to "orderview" screen. Change the actions in the forms in OrderInfo.ftl to

call "changeOrderStatus" request only and then remove code in

"getAssociatedStateList" js function to rewrite URL.

2.

To add .length to the existing URL rewrite code written in

"getAssociatedStateList" js function as

if (jQuery('#orderViewed').length) {

requestToSend = "/ordermgr/control/getAssociatedStateList"

}

Thanks: Pritam Kute!

I picked the 2nd solution

Fixed: One page checkout is broken because of ordermgr::getAssociatedStateList (OFBIZ-11838)

On orderview screen at the ordermgr, when a user tries to change the status of

the order, in OrderInfo.ftl, we are calling "changeOrderStatus" request as

<@ofbizUrl>changeOrderStatus/orderview</@ofbizUrl>

Hence when the request is done, it is rewriting URL to

https://localhost:8443/ordermgr/control/changeOrderStatus/orderview.

When js functions running in the backend like "getAssociatedStateList" are

called, they are getting the wrong URL to send a request to. This was causing

the issue.

For now, there are two different fixes that can handle both problems which are

mentioned in OFBIZ-2562 and OFBIZ-11838.

1.

To change the request mapping for "changeOrderStatus" and add request-redirect

to "orderview" screen. Change the actions in the forms in OrderInfo.ftl to

call "changeOrderStatus" request only and then remove code in

"getAssociatedStateList" js function to rewrite URL.

2.

To add .length to the existing URL rewrite code written in

"getAssociatedStateList" js function as

if (jQuery('#orderViewed').length) {

requestToSend = "/ordermgr/control/getAssociatedStateList"

}

Thanks: Pritam Kute!

I picked the 2nd solution

Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 23 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to require

(maybe only temporarily) the "stream" request-map in commonext controller

to need authentication.

We will later check that this has no impact and if necessary remove the

mandatory authentication, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to require

(maybe only temporarily) the "stream" request-map in commonext controller

to need authentication.

We will later check that this has no impact and if necessary remove the

mandatory authentication, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in commonext controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to require

(maybe only temporarily) the "stream" request-map in commonext controller

to need authentication.

We will later check that this has no impact and if necessary remove the

mandatory authentication, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to

temporarily comment out the "stream" request-map in commonext controller.

We will later fix the specific issue to put back the functionalities allowed by

the "stream" request-map in this controller, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to

temporarily comment out the "stream" request-map in commonext controller.

We will later fix the specific issue to put back the functionalities allowed by

the "stream" request-map in this controller, see OFBIZ-11349

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353)

A vulnerability has been reported to the OFBiz security team. To be able to

release the 17.12.01 version with this vulnerability fixed we need to

temporarily comment out the "stream" request-map in commonext controller.

We will later fix the specific issue to put back the functionalities allowed by

the "stream" request-map in this controller, see OFBIZ-11349

Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 23 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 23 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 23 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 23 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 23 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 23 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 23 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 23 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 23 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 23 more files in changeset.
Reverted: JSON entity data import and export utility (OFBIZ-10966)

Implementation was not matching OFBiz code quality requirements.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1867342 13f79535-47bb-0310-9956-ffa450edef68

    • -12
    • +0
    ./ofbizsetup/WEB-INF/controller.xml
  1. … 17 more files in changeset.
Implemented: JSON entity data import and export utility (OFBIZ-10966)

Currently, we support import/export entity data in XML format.

Nowadays JSON is widely used in industry, we can have support for JSON format

which looks quite similar to XML support.

Here is example of XML data and it's JSON version

<Party partyId="123456" partyTypeId="PERSON" statusId="PARTY_ENABLED"/>

{“Party”: {"partyId":"123456","partyTypeId":"PERSON","statusId":"PARTY_ENABLED”}}

Design Proposal

We can write entityImportJson and entityImportDirJson services for importing

JSON from screen and directory respectively.

And the entityExportAllJson service for exporting entity data in JSON.

Import Design

The import service will perform following operations:

1.) Validate the input JSON data

2.) On successful validation, convert JSON to OFBiz's entity model

(GenericValue)

3.) The GenericValue will be inserted in database by some handler class for e.g

we can write JsonDataHandler, it will convert given JSON to

List<GenericValue>, and finally write it to database

(Similar pattern is used in XML import).

Export Design

Based on existing XML pattern the writeXmlText method of GenericEntity class

write the exported data in XML format.

In the similar way, we can implement writeJsonText to export data in JSON format.

jleroux: I fixed 2 trivials things and at my request in last patch Jayansh added

"JSON Data Export All" and "JSON Data Import Dir

Thanks: Jayansh Shinde

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1862206 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +12
    ./ofbizsetup/WEB-INF/controller.xml
  1. … 17 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

# Conflicts:

# framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlServlet.java

# themes/common/template/ErrorPage.ftl

  1. … 22 more files in changeset.