Clone Tools
  • last updated 17 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Cannot find the declaration of element 'web-app' in version 3.0 files. (OFBIZ-6993)

I missed to backport changes web.xml (was OK in plugins)

  1. … 23 more files in changeset.
Fixed: Check embedded Javascript libs vulnerabilities using retire.js (OFBIZ-11752)

Upgraded jQuery to 3.5.2 and jQuery migrate to 3.3.0 to vulnerabilities of medium severity

Regex in its jQuery.htmlPrefilter sometimes may introduce XSS; https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

    • -10598
    • +0
    ./webapp/common/js/jquery/jquery-3.4.1.js
    • -2
    • +0
    ./webapp/common/js/jquery/jquery-3.4.1.min.js
    • -0
    • +10872
    ./webapp/common/js/jquery/jquery-3.5.1.js
    • -0
    • +2
    ./webapp/common/js/jquery/jquery-3.5.1.min.js
    • -0
    • +838
    ./webapp/common/js/jquery/jquery-migrate-3.3.0.js
    • -0
    • +2
    ./webapp/common/js/jquery/jquery-migrate-3.3.0.min.js
Revert "Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk"

This reverts commit 27e57522b15d71352c61919befc6eb451ed4e864.

  1. … 27 more files in changeset.
Merge branch 'JacquesLeRoux-POC-for-CSRF-Token-OFBIZ-11306' into trunk Because of GitHub message on PR56: This branch cannot be rebased due to conflicts

Much Conflicts, but that should be OK

  1. … 27 more files in changeset.
Improved: Decodes AjaxAutocompleteOptions return value

(OFBIZ-11475)

Improved: no functional change

Adds "Content-Security-Policy" frame-ancestors="self" in ErrorPage.ftl

Because this page is used as a HTTP 500 error it's more susceptible to

clickjacking

Quoting OWASP ZAP:

This problem still applies to error-type pages (401, 403, 500, etc.), as these

pages are still often affected by injection problems, in which case it is still

possible that browsers may interpret pages differently from their actual content

type.

I tried to work on other file types that were also reported but it's complicated

adn I believe it's not worth it

Fixed: Potential Nullpointer in ErrorPage.ftl

(OFBIZ-11448)

Inserted nullcheck for request-attribute

Added missing ErrorPage.ftl file (OFBIZ-10753)

    • -0
    • +509
    ./template/ErrorPage.ftl
Fixed: setUserTimeZone should ran only once based on error (OFBIZ-11329)

This will be notably useful when committing CSRF solution as explained in

OFBIZ-11306:

SetTimeZoneFromBrowser when starting gives a RequestHandlerException:

Invalid or missing CSRF token for AJAX call to path '/SetTimeZoneFromBrowser'.

Also not only when starting.

Thanks: James Yong for review

(cherry picked from commit 350c71f4df45cbe5671b54e61f74f9a352d78e05)

# Conflicts:

# framework/common/groovyScripts/SetLocaleFromBrowser.groovy

# themes/common-theme/webapp/common/js/util/setUserTimeZone.js replaced

by setUserLocale.js modified by hand

I can compile locally but I can see a reason why and certainly not related to

these changes

    • -11
    • +14
    ./webapp/common/js/util/setUserLocale.js
  1. … 1 more file in changeset.
Normalize all the line endings

    • -9
    • +9
    ./webapp/common/js/jquery/plugins/datejs/core.js
  1. … 187 more files in changeset.
Saving files before refreshing line endings

Reverted: "Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)"

This reverts commit d1c037dca1ea14caf545c85c3741bb9af093f3c9.

  1. … 23 more files in changeset.
Fixed: add XML declaration in “web.xml” files (OFBIZ-6993)

these declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

  1. … 23 more files in changeset.
"Applied fix from trunk for revision: 1867577" (by hand) ------------------------------------------------------------------------ r1867577 | jleroux | 2019-09-26 16:41:50 +0200 (jeu. 26 sept. 2019) | 8 lignes

Fixed: Fix multi modal opening

(OFBIZ-11211)

The issue is that when closing the modal the div inside html dom is not removed.

Then opening a second time create another identical div. Since a lookup is based

on an unique id, this id is no more unique...

Thanks: Carl Demus

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1867579 13f79535-47bb-0310-9956-ffa450edef68

Fixed: Send upload form with even-update-area doesn't work (Backport from trunk) (OFBIZ-11207) When you create a xml form with upload as type, you can't use on-event-update-area element to submit it by ajax. Otherwise, OFBiz return an error message on 'uploadFile is empty. To solve it, we analyze the enctype's form before submit it to move on FormData instead a direct serialize [1]

example form where the problem has been present

****

<form name='AddNicelyFile' type='upload' target='CreateNicelyFile'>

<field name='uploadedFile' title='File'><file/></field>

<field name='addButton'><submit/></field>

<on-event-update-area event-type='submit' area-id='window' area-target='FileDisplaying'/>

</form>

****

Thanks to Samuel Tregouet for this fix

[1] https://developer.mozilla.org/en-US/docs/Web/API/FormData/Using_FormData_Objects

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1867438 13f79535-47bb-0310-9956-ffa450edef68

    • -2
    • +18
    ./webapp/common/js/util/OfbizUtil.js
Applied fix from trunk for revision: 1838074 === Improved: Change the uggly favicon with the new one ! | Using new OFBiz logo (OFBIZ-10522)

The unreleased branch 17.12 uses new logo, but old favicon icon. Backported the changes from trunk.

Additional change:

1. Fixed broken logo image URL for flatgrey theme along with some custom css to fix its height and width

2. Replaced new logo with old in tomahawk theme along with some custom css to fix its height and width

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1865034 13f79535-47bb-0310-9956-ffa450edef68

    • binary
    ./webapp/images/favicon-32.png
    • binary
    ./webapp/images/favicon-64.png
    • binary
    ./webapp/images/favicon-96.png
    • binary
    ./webapp/images/favicon.ico
    • binary
    ./webapp/images/favicon.png
  1. … 7 more files in changeset.
Fixed: favicon.ico missing for LookupDecorator (OFBIZ-11146) The ListVisualTheme page uses LookupDecorator and in the absence of any shortcut icon the browser hits favicon.ico file by default. Additional change: Fixed path for title.gif specific to Flatgrey theme

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1864221 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
Applied fix from trunk for revision: 1863838 ===

Fixed: Check embedded Javascript libs vulnerabilities using retire.js

(OFBIZ-10678)

1. For solving CVE-2019-11358, upgraded jQuery to 3.4.1

2. Replaced library Fancybox with Featherlight. Added custom css so that cursor for links becomes pointer

Thanks Jacques Le Roux for the reviews

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1863853 13f79535-47bb-0310-9956-ffa450edef68

    • -20
    • +1
    ./template/includes/ListVisualThemes.ftl
    • -10253
    • +0
    ./webapp/common/js/jquery/jquery-3.2.1.js
    • -4
    • +0
    ./webapp/common/js/jquery/jquery-3.2.1.min.js
    • -0
    • +10598
    ./webapp/common/js/jquery/jquery-3.4.1.js
    • -0
    • +2
    ./webapp/common/js/jquery/jquery-3.4.1.min.js
  1. … 31 more files in changeset.
"Applied fix from trunk for revision: 1863560 BY HAND" ------------------------------------------------------------------------ r1863560 | jleroux | 2019-07-22 17:21:14 +0200 (lun. 22 juil. 2019) | 37 lignes

Fixed: Unknown request [images]; this request does not exist or cannot be

called directly.

(OFBIZ-10895)

Today Olivier reported directly to me that there was an issue in HR:

<<If you go to humanres, at the level of the tree that appears the icons to expand

the tree no longer appear (but you can click...)

This is due to the path of the d.png image which is wrong in the css file

(there is too much image in the path)>>

I should have seen it because the d.png file is, with other related image files,

in the same directory than style.css. And there was an inconsistency in the

style.css files regarding the d.png file path.

We should note that we have still this error in log:

2019-07-22 16:25:26,275 |jsse-nio-8443-exec-7 |ControlServlet

|E| Error in request handler:

org.apache.ofbiz.webapp.control.RequestHandlerException: Unknown request [d.png];

this request does not exist or cannot be called directly.

at org.apache.ofbiz.webapp.control.RequestHandler.doRequest

(RequestHandler.java:277) ~[ofbiz.jar:?]

As I wrote in my last commit for OFBIZ-10895:

The only safe way to go is to not only check the error log for

"Unknown request [...."

but also to look for 404 in access log, not all request show erroneously in

error log.

Some error appears before the user is logged in, as I wrote in the Jira:

<<I noticed that this error message often appears before login. A 404 can be

seen in the access log and then once logged the issue no longer exists

(ie we get a 200). I have no yet investigated why...>>

Nevertheless, I want to remove this misleading error message. I hope I'll do

that before forgetting.

Thanks: Olivier Heintz

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1863563 13f79535-47bb-0310-9956-ffa450edef68

Applied fix from trunk for revision: 1860597 ===

Fixed: Html escaping missing for renderLink parameters

(OFBIZ-11090)

Parameters vlaue should be escaped to avoid any kind of corss site scripting issue.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1860599 13f79535-47bb-0310-9956-ffa450edef68

    • -1
    • +1
    ./template/macro/HtmlFormMacroLibrary.ftl
    • -2
    • +2
    ./template/macro/HtmlMenuMacroLibrary.ftl
  1. … 2 more files in changeset.
Fixed: no functional changes

Revert changes from r1859873 which inadvertently slipped in

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859875 13f79535-47bb-0310-9956-ffa450edef68

"Applied fix from trunk for revision: 1859871" ------------------------------------------------------------------------ r1859871 | jleroux | 2019-05-24 15:24:31 +0200 (ven. 24 mai 2019) | 14 lignes

Fixed: OWASP sanitizer breaks proper rendering of HTML code

(OFBIZ-10187)

After a discussion with Dennis, I checked and the pattern ONSITE_URL would be

useless without

.allowAttributes("background").matching(ONSITE_URL)

.onElements("table")

.allowAttributes("background").matching(ONSITE_URL)

.onElements("td", "th", "tr")

So here they are

Thanks: Dennis Balkir for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859873 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
"Applied fix from trunk for revision: 1859807" Some handled by hand ------------------------------------------------------------------------ r1859807 | jleroux | 2019-05-23 18:41:59 +0200 (jeu. 23 mai 2019) | 5 lignes

Fixed: Unknown request [images]; this request does not exist or cannot be called

directly.

(OFBIZ-10895)

This should be the last commit, but I can't be sure. So I'll continue to

monitor the demos logs...

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1859810 13f79535-47bb-0310-9956-ffa450edef68

    • -7
    • +7
    ./webapp/common/js/jquery/ui/jquery-ui-1.12.1.css
  1. … 6 more files in changeset.
"Applied fix from trunk for revision: 1858444 " ------------------------------------------------------------------------ r1858444 | jleroux | 2019-04-30 18:23:56 +0200 (mar. 30 avr. 2019) | 34 lignes

Fixed: Unknown request [images]; this request does not exist or cannot be

called directly.

(OFBIZ-10895)

This error happens in many occasions:

Inside another request (eg LookupProduct)

Of after a request (eg login)

It shows only in log and have no effect on UI. Notably the new feature normally

showing an error message in trunk (OFBIZ-10753) does not shows

It happens in all supported releases. IIRW it always happened, only URLs like

https://demo-trunk.ofbiz.apache.org/images/defaultImage.jpg work.

But here it's different because we don't need to call

https://demo-trunk.ofbiz.apache.org/images by hand to get the issue in log.

So it's not very bad since it's has no side effects, just weird and annoying.

Because it might hide something undetected yet...

This issue does not appear in R15, a good place to test is for instance

ordermgr/control/request.

There cal.gif is called by /images/cal.gif and it works (the images appears)

but in more recent versions the call is also done to

/ordermgr/control/images/cal.gif where it fails.

This 1st appears in ControlFilter in the stack trace.

As said Deepak Dixit:

I think we need to fix the image url in css file, it should start with /images,

else browser append this in request info. There is nothing related to java or

tomcat code.

This is a 1st commit for the errors I already reported and I'm sure about

Common-theme does not exist here so some have been handled by hand

Thanks: Deepak

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1858447 13f79535-47bb-0310-9956-ffa450edef68

  1. … 4 more files in changeset.
"Applied fix from trunk for revision: 1849165" ------------------------------------------------------------------------ r1849165 | jleroux | 2018-12-18 12:20:28 +0100 (mar. 18 déc. 2018) | 16 lignes

Fixed: Date-find error when used in two forms of a same screen

(OFBIZ-10722)

When we have more than one form, in a screen, that use a date-find field,

the second date-find picker is not working.

To reproduce, you can add a new form with a date-find and call it below

FindInvoices in FindInvoices screen

Then load page [https://localhost:8443/accounting/control/findInvoices] .

You should see that there is no picker on the second date-find

The patch adds an id that allow renderDateFindField macro script to work for

both fields

Thanks: Leila Mekika

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1857484 13f79535-47bb-0310-9956-ffa450edef68

    • -1
    • +1
    ./template/macro/CsvFormMacroLibrary.ftl
    • -1
    • +1
    ./template/macro/FoFormMacroLibrary.ftl
    • -7
    • +10
    ./template/macro/HtmlFormMacroLibrary.ftl
    • -1
    • +1
    ./template/macro/TextFormMacroLibrary.ftl
    • -1
    • +1
    ./template/macro/XlsFormMacroLibrary.ftl
    • -1
    • +1
    ./template/macro/XmlFormMacroLibrary.ftl
  1. … 2 more files in changeset.
Improved: Improve error message page to support Theming (OFBIZ-10753)

When OFBiz raise an error, the framework use a jsp page to display it.

I improved the error page generation to support also ftl template rendering and by this way extend the theme engine to support to overide it

On controler.xml we can now use :

<errorpage>/error/error.jsp</errorpage>

or

<errorpage>component://common/webcommon/error/Error.ftl</errorpage> (default configuration)

On your theme you can add your own error page :

<template>

...

<template-file widget=menu location=component://common-theme/template/macro/HtmlMenuMacroLibrary.ftl/>

+ <template-file widget=error location=component://common-theme/template/ErrorPage.ftl/>

</template>

The component://common/webcommon/error/Error.ftl contains the logic theming connection and to simplify source code, all framework old error page (error.jsp) have been removed to centralize all on this new page.

Thanks to Marine Desmarchelier for the error page design

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/trunk@1856175 13f79535-47bb-0310-9956-ffa450edef68

# Conflicts:

# framework/webapp/src/main/java/org/apache/ofbiz/webapp/control/ControlServlet.java

# themes/common/template/ErrorPage.ftl

  1. … 22 more files in changeset.
Applied fix from trunk for revision: 1819947 ===

Reverted: Revision #1816270 not able to add a option with empty key in drop-down, (OFBIZ-9759)

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1849291 13f79535-47bb-0310-9956-ffa450edef68

    • -1
    • +1
    ./template/macro/HtmlFormMacroLibrary.ftl
Applied fix from trunk for revision: 1848441 ===

Fixed: UI bug in scrum component

(OFBIZ-10676)

When editing product backlog items, inserted javascript code was

executed on the client side. The confirmational blinking of the newly

added or changed value was implemented using the .html(value) function

of jQuery. This causes the html to be interpreted and the script to be

executed. But the data is stored, converting it into html, so not

considered to be a vulnerability.

The fix changes the call to .text. This prevents the html to be

interpreted.

Thanks Benjamin Jugl for providing the patch.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1848442 13f79535-47bb-0310-9956-ffa450edef68

Fixed: Update and fix openstreetmap.org integration. (OFBIZ-10553)

Manual backport because of the renamed paths.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1848436 13f79535-47bb-0310-9956-ffa450edef68

    • -24
    • +55
    ./template/includes/GeoLocation.ftl
    • -0
    • +2
    ./webapp/common/js/plugins/OpenLayers-5.3.0.css
    • -0
    • +8
    ./webapp/common/js/plugins/OpenLayers-5.3.0.js
Improved: Use of layered-modal with parameter does not work (OFBIZ-10511) Thanks Arsalane Arrach for your contribution. Use &quot; to escape the double quotation marks

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-framework/branches/release17.12@1840094 13f79535-47bb-0310-9956-ffa450edef68

    • -3
    • +3
    ./template/macro/HtmlFormMacroLibrary.ftl