Clone Tools
  • last updated 19 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

(cherry picked from commit 1158664ba37264fa6b8429033bad768175ff10d5)

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1851073 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1851072 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 24 more files in changeset.
Fixed: Create an Accounting Transaction page not found (OFBIZ-9228)

Go through

Asset Maint --> Fixed Assets - >>> find DEMO_VEHICLE_01 --> Depreciation

and then press on button Create an Accounting Transaction: 00.000

will give ERROR not found

jleroux: the partyDecoratorLocation was missing in webapp/assetmaint/WEB-INF/web.xml

Thanks: Moatasim Al Masri for report, Ismail Alkouz for a try (not my solution)

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1784144 13f79535-47bb-0310-9956-ffa450edef68

Implemented: removed the "controller" related logic, that is now provided by the new ControlFilter, from the ContextFilter; modified existing applications to use the two filters in a chain; removed from the other specialized filters all the logic that was duplicated or extended from ContextFilter.

A web application, in order to leverage the OFBiz framework, requires that a

series of objects are in its contexts (servlet context, session and request)

such as "delegator", "delegatorName", "dispatcher", "security" etc. etc...

This setup is performed by the logic contained in the servlet filter implemented

by the ContextFilter class.

The execution of this logic is required for the application to run properly.

However, before this commit, in the ContextFilter there was other logic, related

to access control and redirection rules (some of them performed in coordination

with the ControlServlet), making it difficult to deploy this filter in all the

web applications, especially the ones that implement special handling of paths.

In fact, this filter was deployed in most but not all the web application in the

OFBiz codebase: specifically it was not deployed in web applications that

require the execution of other filters (e.g. CatalogUrlFilter, etc...) like the

ones in the "ecommerce" and "solr" components.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1761304 13f79535-47bb-0310-9956-ffa450edef68

  1. … 25 more files in changeset.
[OFBIZ-7311] - Applied the patch from the ticket. Removing the unused references of the maincss.css from source code, following is done- 1) Removed 'maincss.css' entry from 'allowedPaths' param of from web.xml Reason: Since, there is no file like 'maincss.css' exist under any includes directory. 2) Removed the unused references of maincss.css from FTLs, code <link rel="stylesheet" href="${StringUtil.wrapString(baseUrl!)}/images/maincss.css" type="text/css"/> has been removed. Reason: This is an interesting thing, these FTLs were using the maincss.css located under the images directory. When I look the history of these files, following were my findings, The 'maincss.css' file under the 'images' directory exist in release4.0 http://svn.apache.org/repos/asf/ofbiz/branches/release4.0/framework/images/webapp/images/ after this release, this files no longer exist there. 3) Also, I have updated one file 'InventoryNoticeEmail.ftl' and used the basic HTML code to style, instead of using style defined in 'maincss.css' which were exist in release-4.0 4) Updated some references from 'maincss.css' to style.css in comments. 5) Also removed the entry of including '/images/maincss.css' and '/images/mainrtl.css' in SimpleDecorator Since, these files no longer exist after release-4.0.

Thanks Wai for reviewing the work and thanks Swapnil M Mane for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1758389 13f79535-47bb-0310-9956-ffa450edef68

  1. … 20 more files in changeset.
(OFBIZ-6274) Renamed OFBiz artefacts from org.ofbiz.* to org.apache.ofbiz.*.Thanks to Taher for working on it.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1752920 13f79535-47bb-0310-9956-ffa450edef68

  1. … 636 more files in changeset.
Temporary fix for "UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd]" - https://issues.apache.org/jira/browse/OFBIZ-6807

As suggested by Deepak keeps only <<web-app version="3.0">> in web.xml files instead of whole xmlns and schemaLocation.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1726388 13f79535-47bb-0310-9956-ffa450edef68

  1. … 26 more files in changeset.
OFBIZ-(6655) Add session tracking mode and make cookie secure for all special purpose component. Also updated the web-app version for web.xml files.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1724940 13f79535-47bb-0310-9956-ffa450edef68

  1. … 18 more files in changeset.
[OFBIZ-6171] Applied patch from Pierre Smits for replacing 'Open for Business' references with 'Apache OFBiz'.Thanks Pierre for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1706589 13f79535-47bb-0310-9956-ffa450edef68

  1. … 64 more files in changeset.
remove the rest of the website definitions from seed data, the ones that are left are in the demo data

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1158099 13f79535-47bb-0310-9956-ffa450edef68

  1. … 9 more files in changeset.
A patch from BJ Freeman "complete web.xml for error reporting" (https://issues.apache.org/jira/browse/OFBIZ-3820) - OFBIZ-3820

BJ: when there is an error, the control servlet looks for an error path in <param-name>allowedPaths</param-name>

it does not find one throwing an exception which buries the orginal error.

instead of changing the code it is just easier to add the /error: path.

then the real error gets reported correctly.

JLR: This will maybe help to better understand some errors on demo servers, and can't hurt

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@954135 13f79535-47bb-0310-9956-ffa450edef68

  1. … 14 more files in changeset.
2d part and end of an effort to remove trailing spaces [ \t]+$ => "" (empty) Should be easier to review when committing changes with trailing spaces removed automatically by anyedit or such tool (please refer to http://docs.ofbiz.org/x/mg)

Of course this effort to remove trailing spaces has no functional implications.

Actually, I was doing a 1st commit and as it's long to upload, I got conflicts with r763135

In the meantime I did some refactoring also in *.java and *.groovy files :

){ => ) {

if( => if (

while( => while (

}else => } else

else{ => else {

switch( => switch (

try{ => try {

}catch => } catch

catch( => catch (

}finally{ => } finally {

So these changes are also in this commit, should not be a problem anyway.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@763175 13f79535-47bb-0310-9956-ffa450edef68

  1. … 419 more files in changeset.
Changed WebSiteId parameter description to be more general

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@751214 13f79535-47bb-0310-9956-ffa450edef68

  1. … 12 more files in changeset.
Added webSiteId definition for every webapp. This will be used to link online help pages to OFBiz screens. The webSiteId will also be used to associate VisualThemeSets to webapps.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@744502 13f79535-47bb-0310-9956-ffa450edef68

  1. … 7 more files in changeset.
Reverted part of my previous commit.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@701151 13f79535-47bb-0310-9956-ffa450edef68

Fixed problem with Asset Maintenance screens, reported by ChristopherJ on the user mailing list.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@701143 13f79535-47bb-0310-9956-ffa450edef68

Asset Maintenance improvements:

1. Demo Data.

2. Product Maintenance screen.

3. Fixed non-functional product lookup buttons

Internationalization note: this commit contains a new UI label.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@673532 13f79535-47bb-0310-9956-ffa450edef68

  1. … 8 more files in changeset.
Changes to Asset Maint component to re-use existing screens better.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@662307 13f79535-47bb-0310-9956-ffa450edef68

  1. … 9 more files in changeset.
A (large) patch from Scott Gray "Update ASL header" (https://issues.apache.org/jira/browse/OFBIZ-637). I put also some svn:ignore for shark build and lib diretories and assetmaint/build

I did some by hand lately, too much to remember. They were files with old header but without copyright. A 1st attempt I suppose, will have to check this after this commit.

I add some problems to commit this patch in one piece because it's so huge (specially with Eclipse I had to turn to Tortoise) !

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@499486 13f79535-47bb-0310-9956-ffa450edef68

  1. … 100 more files in changeset.
Added assetmaint derived app from Anil Patel in Jira #OFBIZ-437; note that this is going directly in because even though it is add-on code it was developed from the beginning to go into OFBiz and simply had not yet because of my time constraints to do a final review and commit of it; I was involved from early on working with Anil on this so the code history is also not in question

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@498895 13f79535-47bb-0310-9956-ffa450edef68

  1. … 24 more files in changeset.