Clone Tools
  • last updated 18 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Purchase Order Email Support (OFBIZ-11864)

  1. … 6 more files in changeset.
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 24 more files in changeset.
Reverted: Use Compound Widget on rest of the project (OFBIZ-11821)

Verbose and may better suit in custom implementation.

  1. … 2 more files in changeset.
Improved: Use Compound Widget on rest of the project (OFBIZ-11821)

Refactor for Find Request

  1. … 3 more files in changeset.
Improved: Converted all CustRequestContent related CRUD services from simple to entity-auto (#94)

* Improved: Converted all CustRequestContent related CRUD services from simple to entity-auto

(OFBIZ-11627)

* Improved: Added seca rule for checkStatusCustRequest while invoke and updateCustRequestLastModifiedDate while commit for services related to CustRequestContent.

  1. … 4 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 24 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 24 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Improved: Add a discussion feature in order detail view for following communication about the order (mail, phone etc.) (OFBIZ-11210)

This is in order detail view for following communication about the order

(mail, phone etc.) to keep an eye about all com' event linked to the order.

Thanks: Carl Demus

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1867581 13f79535-47bb-0310-9956-ffa450edef68

  1. … 10 more files in changeset.
Implemented: The feature where a user will be able to add different types of content(image, document, URL, etc.) to an order. (OFBIZ-7257) Here is an implementation plan for the proposed solution. Order Attachment Flow: 1) Show 'Attachments' instead of 'Image' on the order view screen. 2) If there are any attachments associated with the order, then their information will be displayed in the form of a button(Content link) else 'No Attachment' label should be shown. 3) If no attachments are there, then along with the label, a button(Add Attachment) will be displayed. On clicking the Add Attachment button, a user will be redirected to a page where he/she can add different types of content(image, document, URL, etc.) to the order. Order Attachment Modeling: Used OrderContent as the entity to store the content and order association. Created OrderContentType data for an image and document for starters.

Thanks Avnindra Sharma for reporting the original issue, Devanshu Vyas for providing the patch and Jacques for review and suggestions.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1861853 13f79535-47bb-0310-9956-ffa450edef68

  1. … 7 more files in changeset.
"Applied fix from trunk for revision: 1859800" ------------------------------------------------------------------------ r1859800 | jleroux | 2019-05-23 18:36:37 +0200 (jeu. 23 mai 2019) | 8 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

Reverts all the rest from r1816180, and, after reading carefully the code used

for "request-redirect" in RequestHandler (and downward), fixes the documentation

in site-conf.xsd

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859802 13f79535-47bb-0310-9956-ffa450edef68

  1. … 5 more files in changeset.
"Applied fix from trunk for revision: 1859800" ------------------------------------------------------------------------ r1859800 | jleroux | 2019-05-23 18:36:37 +0200 (jeu. 23 mai 2019) | 8 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

Reverts all the rest from r1816180, and, after reading carefully the code used

for "request-redirect" in RequestHandler (and downward), fixes the documentation

in site-conf.xsd

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1859801 13f79535-47bb-0310-9956-ffa450edef68

  1. … 5 more files in changeset.
Fixed: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam (OFBIZ-9997)

Reverts all the rest from r1816180, and, after reading carefully the code used

for "request-redirect" in RequestHandler (and downward), fixes the documentation

in site-conf.xsd

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1859800 13f79535-47bb-0310-9956-ffa450edef68

  1. … 5 more files in changeset.
Improved: Added support for Inventory (Supply) Allocation Planning. (OFBIZ-10518) Thanks Deepak Nigam for initiating this feature and providng the patches, Arun Patidar for review and Swapnil Shah for design discussions.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1858270 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1851071 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
"Applied fix from trunk for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1851070 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 15 more files in changeset.