Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 24 more files in changeset.
Fixed: Specified key was too long; max key length is 767 bytes for ProductPromoCodeEmail entity.(OFBIZ-5426) (#44)

* Fixed: Specified key was too long; max key length is 767 bytes for ProductPromoCodeEmail entity.

(OFBIZ-5426)

The problem is in the entity model. An email address should not be used in the primary key - mainly because an email address is case-insensitive. A better design would be to use the email address contact mechanism ID in the primary key.

Done Following:

1. Changed Entity Name from ProductPromoCodeEmail to ProductPromoCodeContMech

2. Related Changes for the entity name change

3. Migration service to migrate old data

Thanks, Leon for the report and Adrian Crum, Jacques Le Roux, Ingo Wolfmayr, Deepak Dixit, Pierre Smits and Gil Portenseigne for the discussion and review.

* Improved: Added new line in service definition file and lincence in MigrationServices file.

(OFBIZ-5426)

Thanks, Jacopo for the review.

  1. … 9 more files in changeset.
Fixed: Specified key was too long; max key length is 767 bytes for ProductPromoCodeEmail entity.(OFBIZ-5426) (#44)

* Fixed: Specified key was too long; max key length is 767 bytes for ProductPromoCodeEmail entity.

(OFBIZ-5426)

The problem is in the entity model. An email address should not be used in the primary key - mainly because an email address is case-insensitive. A better design would be to use the email address contact mechanism ID in the primary key.

Done Following:

1. Changed Entity Name from ProductPromoCodeEmail to ProductPromoCodeContMech

2. Related Changes for the entity name change

3. Migration service to migrate old data

Thanks, Leon for the report and Adrian Crum, Jacques Le Roux, Ingo Wolfmayr, Deepak Dixit, Pierre Smits and Gil Portenseigne for the discussion and review.

* Improved: Added new line in service definition file and lincence in MigrationServices file.

(OFBIZ-5426)

Thanks, Jacopo for the review.

  1. … 9 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 15 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

jleroux: I have also fixed the dataResourceId="GZ-DIG"

Thanks: Amardeep Singh Jhajj for report and initial fix

  1. … 10 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit 3075027df7c82bcb381810d9d438150ef696254f.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit a93b1fcb7859a754ba84b810c4736e7ef6778689.

  1. … 24 more files in changeset.
Revert "Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)"

This reverts commit 226e901981b68941bbcf3e1025d2208061d28db6.

  1. … 24 more files in changeset.
Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 24 more files in changeset.
Improved: Update “web.xml” files version 3.0 → 4.0 (OFBIZ-6993)

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 24 more files in changeset.
Applied fix from trunk for revision: 1867972 ===

Reverted: User is unable to update the review of product

(OFBIZ-10799)

Reverted rev 1867904

Thanks: Deepak Dixit for reporting the issue.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1867974 13f79535-47bb-0310-9956-ffa450edef68

Applied fix from trunk for revision: 1867972 ===

Reverted: User is unable to update the review of product

(OFBIZ-10799)

Reverted rev 1867904

Thanks: Deepak Dixit for reporting the issue.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1867973 13f79535-47bb-0310-9956-ffa450edef68

Reverted: User is unable to update the review of product (OFBIZ-10799)

Reverted rev 1867904

Thanks: Deepak Dixit for reporting the issue.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1867972 13f79535-47bb-0310-9956-ffa450edef68

Applied fix from trunk for revision: 1867904 ===

Fixed: User is unable to update the review of product

(OFBIZ-10799)

Redirected request with eligible parameters so that If the user had a search using any parameter result should persist after the update.

Thanks: Ashish Sharma for report and Pierre Smits and Jacques Le Roux for the review.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1867906 13f79535-47bb-0310-9956-ffa450edef68

Applied fix from trunk for revision: 1867904 ===

Fixed: User is unable to update the review of product

(OFBIZ-10799)

Redirected request with eligible parameters so that If the user had a search using any parameter result should persist after the update.

Thanks: Ashish Sharma for report and Pierre Smits and Jacques Le Roux for the review.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1867905 13f79535-47bb-0310-9956-ffa450edef68

Fixed: User is unable to update the review of product (OFBIZ-10799)

Redirected request with eligible parameters so that If the user had a search using any parameter result should persist after the update.

Thanks: Ashish Sharma for report and Pierre Smits and Jacques Le Roux for the review.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1867904 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1859800" ------------------------------------------------------------------------ r1859800 | jleroux | 2019-05-23 18:36:37 +0200 (jeu. 23 mai 2019) | 8 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

Reverts all the rest from r1816180, and, after reading carefully the code used

for "request-redirect" in RequestHandler (and downward), fixes the documentation

in site-conf.xsd

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859802 13f79535-47bb-0310-9956-ffa450edef68

  1. … 5 more files in changeset.
"Applied fix from trunk for revision: 1859800" ------------------------------------------------------------------------ r1859800 | jleroux | 2019-05-23 18:36:37 +0200 (jeu. 23 mai 2019) | 8 lignes

Fixed: Replace request-redirect w/ no redirect-param attribute by

request-redirect-noparam

(OFBIZ-9997)

Reverts all the rest from r1816180, and, after reading carefully the code used

for "request-redirect" in RequestHandler (and downward), fixes the documentation

in site-conf.xsd

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release18.12@1859801 13f79535-47bb-0310-9956-ffa450edef68

  1. … 5 more files in changeset.
Fixed: Replace request-redirect w/ no redirect-param attribute by request-redirect-noparam (OFBIZ-9997)

Reverts all the rest from r1816180, and, after reading carefully the code used

for "request-redirect" in RequestHandler (and downward), fixes the documentation

in site-conf.xsd

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1859800 13f79535-47bb-0310-9956-ffa450edef68

  1. … 5 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

# Conflicts:

# framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlServlet.java

# themes/common/template/ErrorPage.ftl

  1. … 22 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

  1. … 23 more files in changeset.