ofbiz-plugins

Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: Product Images not rendering on One Page Checkout (OFBIZ-11400)

Thanks: Archana Asthana for the report and Devanshu Vyas for the patch.

    • -2
    • +2
    /ecommerce/template/cart/UpdateCart.ftl
Fixed: Product Images not rendering on One Page Checkout (OFBIZ-11400)

Thanks: Archana Asthana for the report and Devanshu Vyas for the patch.

    • -2
    • +2
    /ecommerce/template/cart/UpdateCart.ftl
Adds the meta CSRF token for Ajax

Adds the meta CSRF token for Ajax

Improved: POC for CSRF Token

(OFBIZ-11306)

There is no need to change it in common-controller because, apart the ecommerce

application, there are no applications that requires an anonymous flow.

It should be only changed in ecommerce controller.

Improved: POC for CSRF Token

(OFBIZ-11306)

There is no need to change it in common-controller because, apart the ecommerce

application, there are no applications that requires an anonymous flow.

It should be only changed in ecommerce controller.

Improved: fixes a typo due to OFBIZ-11030

Thanks: Pierre Smits for spotting it

Improved: formatting Implemented: Documented: Completed: Reverted: Fixed:

(OFBIZ-)

Explanation

Thanks:

Fixed: Convert DimensionServices.xml minilang to groovy

(OFBIZ-10948)

Now correctly creates the CurrencyDimension using currency.uomId

No need for delegator.setNextSeqId(), looking at (now removed)

DimensionServices.xml confused me.

Thanks: Pierre Smits for report

Fixed: prepareProductDimensionData does not load correct fields in ProductDimension (OFBIZ-11465)

Thanks: Pierre Smits for your contribution.

Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

    • -0
    • +9
    /assetmaint/webapp/ismgr/WEB-INF/web.xml
    • -0
    • +9
    /birt/webapp/accounting/WEB-INF/web.xml
    • -0
    • +9
    /example/webapp/example/WEB-INF/web.xml
    • -0
    • +9
    /lucene/webapp/content/WEB-INF/web.xml
    • -0
    • +9
    /myportal/webapp/myportal/WEB-INF/web.xml
  1. … 6 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

    • -0
    • +9
    /assetmaint/webapp/ismgr/WEB-INF/web.xml
    • -0
    • +9
    /birt/webapp/accounting/WEB-INF/web.xml
    • -0
    • +9
    /example/webapp/example/WEB-INF/web.xml
    • -0
    • +9
    /lucene/webapp/content/WEB-INF/web.xml
    • -0
    • +9
    /myportal/webapp/myportal/WEB-INF/web.xml
  1. … 6 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

    • -0
    • +9
    /assetmaint/webapp/ismgr/WEB-INF/web.xml
    • -0
    • +9
    /birt/webapp/accounting/WEB-INF/web.xml
    • -0
    • +9
    /example/webapp/example/WEB-INF/web.xml
    • -0
    • +9
    /lucene/webapp/content/WEB-INF/web.xml
    • -0
    • +9
    /myportal/webapp/myportal/WEB-INF/web.xml
  1. … 6 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Put back getAssociatedStateList requesdt in ecommerce to auth="false" to allow

the anonymous flow

Thanks: Deepak for spotting an reporting the issue (twice, inadvertently I

removed the complete file, I have no ideas how I did that :/)

    • -0
    • +2008
    /ecommerce/webapp/ecommerce/WEB-INF/controller.xml
Fixed: Convert DimensionServices.xml minilang to groovy

(OFBIZ-10948)

There is a bug with loadCurrencyDimension in DimensionServices.groovy

It shows when running quickInitDataWarehouse.

The problem is this Minilang expression is missing in DimensionServices.groovy:

<sequenced-id sequence-name="CurrencyDimension" field="currencyDim.dimensionId"/>

Adding

delegator.setNextSeqId(currencyDim)

is enough.

Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Put back getAssociatedStateList requesdt in ecommerce to auth="false" to allow

the anonymous flow

Thanks: Deepak for spotting an reporting the issue

    • -2008
    • +0
    /ecommerce/webapp/ecommerce/WEB-INF/controller.xml
Improved: no functional change

Follows the "How to apply the Apache License to your work" section at

https://www.apache.org/licenses/LICENSE-2.0

Improved: no functional change

Follows the "How to apply the Apache License to your work" section at

https://www.apache.org/licenses/LICENSE-2.0

Improved: no functional change

Follows the "How to apply the Apache License to your work" section at

https://www.apache.org/licenses/LICENSE-2.0

Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

Thanks: Amardeep Singh Jhajj for report and initial fix

Implemented: have a license

(OFBIZ-11451)

Fixes missing sections in LICENCE and adds NOTICE

I have also removed the plugins prefix in "URIs" because we are under plugins

Thanks: Jacopo for spotting missing sections

Implemented: have a license

(OFBIZ-11451)

Fixes missing sections in LICENCE and adds NOTICE

I have also removed the plugins prefix in "URIs" because we are under plugins

Thanks: Jacopo for spotting missing sections

Implemented: have a license

(OFBIZ-11451)

Fixes missing sections in LICENCE and adds NOTICE

I have also removed the plugins prefix in "URIs" because we are under plugins

Thanks: Jacopo for spotting missing sections

Improved: Convert FactServices.xml minilang to groovy.

(OFBIZ-11030)

Thanks Pierre Smits for reporting and Sebastian Berg for providing the

patch.

    • -0
    • +664
    /bi/groovyScripts/FactServices.groovy
Implemented: Remove the user login security question.

(OFBIZ-11244)

Thanks Wiebke Pätzold for providing the patch.

    • -22
    • +1
    /webpos/template/GetSecurityQuestion.ftl
Improved: Added Eclipse bin folder to gitignore.

Implemented: have a license

(OFBIZ-11451)

Implemented: have a license

(OFBIZ-11451)

Implemented: have a license

(OFBIZ-11451)

Merge pull request #7 from priyasharma1/OFBIZ-10948

Improved: Convert DimensionServices.xml minilang to groovy (OFBIZ-10948)