Clone Tools
  • last updated 26 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 24 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 24 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 24 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
"Applied fix from trunk for revision: 1862278" ------------------------------------------------------------------------ r1862278 | jleroux | 2019-06-28 13:53:55 +0200 (ven. 28 juin 2019) | 17 lignes

Fixed: User should be notified with success message on MRP run in manufacturing component

(OFBIZ-9533)

Steps to regenerate:

1. Go to Manufacturing component (manufacturing/control/main)

2. Click on Mrp sub menu (manufacturing/control/FindInventoryEventPlan)

3. Click on Run Mrp button.(manufacturing/control/RunMrp)

4. Select Facility/Facility Group and Click Submit button.

On success, the user should be notified with success message like

"Mrp run is scheduled".

jleroux: despite being a sub-task of an improvement I decided to backport.

It works well and nothing could go wrong, only UI changes.

Thanks: Aditya Sharma for report, Humera Khan for the fix, Prachi Shastri for

testing and Pierre Smits for noticing this could be backported (despite being

a sub-task of an improvement)

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1862280 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
"Applied fix from trunk for revision: 1862278" ------------------------------------------------------------------------ r1862278 | jleroux | 2019-06-28 13:53:55 +0200 (ven. 28 juin 2019) | 17 lignes

Fixed: User should be notified with success message on MRP run in manufacturing component

(OFBIZ-9533)

Steps to regenerate:

1. Go to Manufacturing component (manufacturing/control/main)

2. Click on Mrp sub menu (manufacturing/control/FindInventoryEventPlan)

3. Click on Run Mrp button.(manufacturing/control/RunMrp)

4. Select Facility/Facility Group and Click Submit button.

On success, the user should be notified with success message like

"Mrp run is scheduled".

jleroux: despite being a sub-task of an improvement I decided to backport.

It works well and nothing could go wrong, only UI changes.

Thanks: Aditya Sharma for report, Humera Khan for the fix, Prachi Shastri for

testing and Pierre Smits for noticing this could be backported (despite being

a sub-task of an improvement)

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1862279 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
Fixed: User should be notified with success message on MRP run in manufacturing component (OFBIZ-9533)

Steps to regenerate:

1. Go to Manufacturing component (manufacturing/control/main)

2. Click on Mrp sub menu (manufacturing/control/FindInventoryEventPlan)

3. Click on Run Mrp button.(manufacturing/control/RunMrp)

4. Select Facility/Facility Group and Click Submit button.

On success, the user should be notified with success message like

"Mrp run is scheduled".

jleroux: despite being a sub-task of an improvement I decided to backport.

It works well and nothing could go wrong, only UI changes.

Thanks: Aditya Sharma for report, Humera Khan for the fix, Prachi Shastri for

testing and Pierre Smits for noticing this could be backported (despite being

a sub-task of an improvement)

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1862278 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
"Applied fix from trunk for revision: 1859698" ------------------------------------------------------------------------ r1859698 | jleroux | 2019-05-22 10:12:51 +0200 (mer. 22 mai 2019) | 10 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

Reverts r1859694 request-redirect-noparam is required else the deleted

ProductManufacturingRule is shown in the edit/update screen with the deleted

ruleId.

I was misleaded because this screen is not standard at all. I guess it's not

much used since it's like that for ages

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859700 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1859698" ------------------------------------------------------------------------ r1859698 | jleroux | 2019-05-22 10:12:51 +0200 (mer. 22 mai 2019) | 10 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

Reverts r1859694 request-redirect-noparam is required else the deleted

ProductManufacturingRule is shown in the edit/update screen with the deleted

ruleId.

I was misleaded because this screen is not standard at all. I guess it's not

much used since it's like that for ages

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1859699 13f79535-47bb-0310-9956-ffa450edef68

Fixed: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam (OFBIZ-9997)

Reverts r1859694 request-redirect-noparam is required else the deleted

ProductManufacturingRule is shown in the edit/update screen with the deleted

ruleId.

I was misleaded because this screen is not standard at all. I guess it's not

much used since it's like that for ages

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1859698 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1859694" ------------------------------------------------------------------------ r1859694 | jleroux | 2019-05-22 09:44:55 +0200 (mer. 22 mai 2019) | 5 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

No problems using view here, KISS!

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859697 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1859694" ------------------------------------------------------------------------ r1859694 | jleroux | 2019-05-22 09:44:55 +0200 (mer. 22 mai 2019) | 5 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

No problems using view here, KISS!

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1859696 13f79535-47bb-0310-9956-ffa450edef68

Fixed: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam (OFBIZ-9997)

No problems using view here, KISS!

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1859694 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1851071 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1851070 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Improved: Replace request-redirect w/ no redirect-param attribute by request-redirect-no-param (OFBIZ-9997)

There was a typo in r1816180 , this fixes it and adds plugins part

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1816183 13f79535-47bb-0310-9956-ffa450edef68

  1. … 8 more files in changeset.