Clone Tools
  • last updated 14 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: Added employee lookup to search/select employee(person) while creating new employment. This will also fixed the issue of party groups being selected as a employee. (OFBIZ-11697) (#210)

  1. … 3 more files in changeset.
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 24 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 24 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 24 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
"Applied fix from trunk for revision: 1859571" ------------------------------------------------------------------------ r1859571 | jleroux | 2019-05-20 19:14:43 +0200 (lun. 20 mai 2019) | 22 lignes

Fixed: field emplFromDate is forgot in PayHistory entity

(OFBIZ-11028)

Arpit Mor: steps to regenerate:

Login to the URL: https://demo-trunk.ofbiz.apache.org/humanres/control/main

Click on Employments

Click on New Employments

Click on Create

Actual: Error message is displayed.

Olivier Heintz: employment is associated with PayHistory, and there is a problem

in PayHistory entity definition in OFBiz,

In PayHistory, the field fromDate from Employment is confused with fromDate

about the current record.

A Employment can have multiple PayHistories and should have multiple

because PayHistory should show history of Pay for a employment !

It's necessary to have a field emplFromDate (to have the complete employment

primaryKey).

When modifying a PayRecord the current should be expire and a new one should

be created.

Thanks: Arpit Mor for report at OFBIZ-10969 and Olivier Heintz for the fix

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859573 13f79535-47bb-0310-9956-ffa450edef68

  1. … 6 more files in changeset.
"Applied fix from trunk for revision: 1859571" ------------------------------------------------------------------------ r1859571 | jleroux | 2019-05-20 19:14:43 +0200 (lun. 20 mai 2019) | 22 lignes

Fixed: field emplFromDate is forgot in PayHistory entity

(OFBIZ-11028)

Arpit Mor: steps to regenerate:

Login to the URL: https://demo-trunk.ofbiz.apache.org/humanres/control/main

Click on Employments

Click on New Employments

Click on Create

Actual: Error message is displayed.

Olivier Heintz: employment is associated with PayHistory, and there is a problem

in PayHistory entity definition in OFBiz,

In PayHistory, the field fromDate from Employment is confused with fromDate

about the current record.

A Employment can have multiple PayHistories and should have multiple

because PayHistory should show history of Pay for a employment !

It's necessary to have a field emplFromDate (to have the complete employment

primaryKey).

When modifying a PayRecord the current should be expire and a new one should

be created.

Thanks: Arpit Mor for report at OFBIZ-10969 and Olivier Heintz for the fix

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1859572 13f79535-47bb-0310-9956-ffa450edef68

  1. … 6 more files in changeset.
Fixed: field emplFromDate is forgot in PayHistory entity (OFBIZ-11028)

Arpit Mor: steps to regenerate:

Login to the URL: https://demo-trunk.ofbiz.apache.org/humanres/control/main

Click on Employments

Click on New Employments

Click on Create

Actual: Error message is displayed.

Olivier Heintz: employment is associated with PayHistory, and there is a problem

in PayHistory entity definition in OFBiz,

In PayHistory, the field fromDate from Employment is confused with fromDate

about the current record.

A Employment can have multiple PayHistories and should have multiple

because PayHistory should show history of Pay for a employment !

It's necessary to have a field emplFromDate (to have the complete employment

primaryKey).

When modifying a PayRecord the current should be expire and a new one should

be created.

Thanks: Arpit Mor for report at OFBIZ-10969 and Olivier Heintz for the fix

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1859571 13f79535-47bb-0310-9956-ffa450edef68

  1. … 6 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1851071 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1851070 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Applied fix from trunk for revision: 1849467 ===

Removed: Duplicate request getAssociatedStateList, committed at r#1848469. We have getAssociatedStateList request in common-controller and common-controller included in humanres controller.xml.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1849468 13f79535-47bb-0310-9956-ffa450edef68

Removed: Duplicate request getAssociatedStateList, committed at r#1848469. We have getAssociatedStateList request in common-controller and common-controller included in humanres controller.xml.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1849467 13f79535-47bb-0310-9956-ffa450edef68

Applied fix from trunk for revision: 1848469 ===

Improved: Implement dependency from "State/Province" Field to "Country"

in New Employee Form.

(OFBIZ-10326)

Thanks Benjamin Jugl and Julian Leichert for reporting and providing

the patch.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1848472 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
Improved: Implement dependency from "State/Province" Field to "Country" in New Employee Form. (OFBIZ-10326)

Thanks Benjamin Jugl and Julian Leichert for reporting and providing

the patch.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1848469 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 27 more files in changeset.
Removed duplicated request/view mapping

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1805755 13f79535-47bb-0310-9956-ffa450edef68

  1. … 4 more files in changeset.