Clone Tools
  • last updated 26 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

(cherry picked from commit 1158664ba37264fa6b8429033bad768175ff10d5)

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
"Applied fix from plugins for revision: 1858141 " ------------------------------------------------------------------------ r1858141 | jleroux | 2019-04-25 16:27:36 +0200 (jeu. 25 avr. 2019) | 11 lignes

Fixed: Ensure html verbosity is following general setup

(OFBIZ-10940)

Currently the configuration of the Birt and Scrum component does not follow the

- de facto - standard of having the html code reference the OFBiz widget and

templates.

See [1] vs [2]

[1] view-source:https://demo-trunk.ofbiz.apache.org/birt/control/main

[2] view-source:https://demo-trunk.ofbiz.apache.org/accounting/control/main

Thanks: Pierre Smits

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1858143 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
"Applied fix from plugins for revision: 1858141 " ------------------------------------------------------------------------ r1858141 | jleroux | 2019-04-25 16:27:36 +0200 (jeu. 25 avr. 2019) | 11 lignes

Fixed: Ensure html verbosity is following general setup

(OFBIZ-10940)

Currently the configuration of the Birt and Scrum component does not follow the

- de facto - standard of having the html code reference the OFBiz widget and

templates.

See [1] vs [2]

[1] view-source:https://demo-trunk.ofbiz.apache.org/birt/control/main

[2] view-source:https://demo-trunk.ofbiz.apache.org/accounting/control/main

Thanks: Pierre Smits

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1858142 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
Fixed: Ensure html verbosity is following general setup (OFBIZ-10940)

Currently the configuration of the Birt and Scrum component does not follow the

- de facto - standard of having the html code reference the OFBiz widget and

templates.

See [1] vs [2]

[1] view-source:https://demo-trunk.ofbiz.apache.org/birt/control/main

[2] view-source:https://demo-trunk.ofbiz.apache.org/accounting/control/main

Thanks: Pierre Smits

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1858141 13f79535-47bb-0310-9956-ffa450edef68

  1. … 2 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1851073 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1851072 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 24 more files in changeset.
Fixed: Remove the birt.tld file and all related files and lines (OFBIZ-OFBIZ-9323)

As explained in the Jira, for legal reasons we need to remove the Birt Web

Viewer from OFBiz

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1792432 13f79535-47bb-0310-9956-ffa450edef68

  1. … 6 more files in changeset.
No functional changes

completes r1781219 by putting svn:eol-style=native to all file types declared

in [auto-props] section of the svn config files.css

Actually this is only a 1st pass, it was too complicated to do it for

all file types at once only concerned here

*.java;*.bsh;*.groovy;*.jsp;*.tld;*.ftl;*.js;*.sql;*.c;*.cpp;*.h;*.txt;*.sgml;

*.properties;*.xml;.classpath;.project;*.sld;*.gml;*.xsl;*.xsd

*.html;*.htm;*.css;*.md;README;NOTICE;LICENSE;rc.ofbiz.*;*.less;*.dsp;*.dsw

Most files should not be concerned by this change, but it's impossible to do

it one by one.

There are also changes in files with have mixed EOLs; because this has no sense

when using native which automatically resolves this issue

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1781731 13f79535-47bb-0310-9956-ffa450edef68

  1. … 153 more files in changeset.
No functional changes

At http://markmail.org/message/ffmyw773p65fndey I wrote:

I'd like to follow the suggestion I made in the last message of the linked

thread.

In other words, use

http://subversion.apache.org/docs/release-notes/1.8.html#repos-dictated-config

http://blogs.collab.net/subversion/the-road-to-repository-dictated-configuration-day-2-autoprops

Then this problem would be over. No longer need to check from time to time that

concerned files, have svn:eol-style=native property set

This imply that all OFBiz users use svn > 1.7, but we can inform them, et voilà

Then at markmail.org/message/h3q2yvj4db544ro7 I wrote:

Actually, since we get new committers now and then and their are able to create

new files I have a warning every 6 months which says "Check Java

files, have all svn:eol-style=native" (I totally forgot that because I assume

the machine knows it and warns me ;))

I could extend that to all files (at least the most prominent types), I'll

see...

This does what the last sentence said for Groovy, XML and few new Birt

Java files.

I'll see if I can implement the svn 1.8 repos-dictated-config ASAP!

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1781219 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: After creating a new Flexible Birt report, before visualising it you need to do other actions (OFBIZ-9194)

You need to add the data set fields with the Birt Report Designer

and publish the report. This will be documented with OFBIZ-9188

I thought about graying the button but it was a delicate matter because it uses

a <content element in screen and directly call a view handled from a Groovy

event.

It was easier to fix the PrepareBirtCall Groovy event. But to be totally sure

I also handled the possible NPE in the BirtViewHandler

I also fixed viewLast error in controller

Because the files were not committed with the svn:eol-style native property

you will see false changes in this commit. Some files have their svn:eol-style

native property set. I'll soon commit missing so in new Birt Java files.

I'll also commit a lot of svn:eol-style native property changes for XML and

Groovy files which have been neglected so far. I'm sorry for that because

when we do so we loose the annotations history. I will then definitely put in

place what I suggested in http://markmail.org/message/ffmyw773p65fndey

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1781218 13f79535-47bb-0310-9956-ffa450edef68

  1. … 3 more files in changeset.
Improved: Implement and demonstrate few services in Birt Report Builder (OFBIZ-9192)

The Birt Report Builder can also use services. for now only the "rotation"

report as been provided. We can provide more examples based on François'

work.

Here are trivial changes

fixes missing Lookup maps and view in controller for the "rotation" report

new needed labels

typos fixed

Thanks:

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1781084 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
Implemented: Birt Report Builder: an enhancement of the Birt component. Easier user possibility of report creation. (OFBIZ-6919)

The concept, you define a report domain related to an entity or a service through a master content (master report) and a master search form.

When a high level user create a report on a configured domain, OFBiz prepare an instantiation of the master content (flexible report) that permit

to surcharge the search form (recorded dynamically on the content as ElectronicText) and prepare a rptDesign skeleton.

The high level user can download the rptDesign to edit it trhough the birt editor, with all fields that ofbiz will be load as dataset and when is finish upload the result on the content instantiation.

For the end user, he selected the instantiation report, OFBiz display the report search from the content instantiation and the submission call birt with the search parameters and the linked rptDesign.

The rptDesign file is drive by OFBiz to build the data set by two methods :

* call the performFind if the domain is related to an entity

* call the a custom service if the domain is related to a service.

For the last case we need two services, a first who prepare and list available fields for search and display. And a second who realize the search.

By convention currently the first service as the same name that the second service suffixed by 'PrepareFields'

This commit contains :

* useful UI to create a new content instance from a master content. List, edit, remove a content instance and a simple drop-down to list all instance published (ready to use by end user)

* all services (with the work flexibleReport) to manage a flexible report, prepare the rptDesign skeleton, reanalyze the rptDesign uploaded, prepare the search form

* Services interface to define you own search custom method

* Two examples, one on the entity Exemple and one with the service flexibleReportTurnOver. Warning ! there are raw example without a beautiful rptDesign so you need to update the rptDesign with the birt editor to display something.

Thanks: François Wurmser for initialize this improvement, Jacques and Gil for their time to analyze, document and refactor the code

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1780683 13f79535-47bb-0310-9956-ffa450edef68

  1. … 21 more files in changeset.
Implemented: renamed the directory specialpurpose to plugins (OFBIZ-7972)

In another step towards completing the plugin system for OFBiz, we renamed

the /specialpurpose directory to /plugins and changed all occurences of the

word "specialpurpose" to "plugins" in all files found in the system

Reference discussion: http://markmail.org/message/hpyuxkmftiyn44w2

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1778271 13f79535-47bb-0310-9956-ffa450edef68

  1. … 28 more files in changeset.
Implemented: removed the "controller" related logic, that is now provided by the new ControlFilter, from the ContextFilter; modified existing applications to use the two filters in a chain; removed from the other specialized filters all the logic that was duplicated or extended from ContextFilter.

A web application, in order to leverage the OFBiz framework, requires that a

series of objects are in its contexts (servlet context, session and request)

such as "delegator", "delegatorName", "dispatcher", "security" etc. etc...

This setup is performed by the logic contained in the servlet filter implemented

by the ContextFilter class.

The execution of this logic is required for the application to run properly.

However, before this commit, in the ContextFilter there was other logic, related

to access control and redirection rules (some of them performed in coordination

with the ControlServlet), making it difficult to deploy this filter in all the

web applications, especially the ones that implement special handling of paths.

In fact, this filter was deployed in most but not all the web application in the

OFBiz codebase: specifically it was not deployed in web applications that

require the execution of other filters (e.g. CatalogUrlFilter, etc...) like the

ones in the "ecommerce" and "solr" components.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1761304 13f79535-47bb-0310-9956-ffa450edef68

  1. … 25 more files in changeset.
[OFBIZ-7311] - Applied the patch from the ticket. Removing the unused references of the maincss.css from source code, following is done- 1) Removed 'maincss.css' entry from 'allowedPaths' param of from web.xml Reason: Since, there is no file like 'maincss.css' exist under any includes directory. 2) Removed the unused references of maincss.css from FTLs, code <link rel="stylesheet" href="${StringUtil.wrapString(baseUrl!)}/images/maincss.css" type="text/css"/> has been removed. Reason: This is an interesting thing, these FTLs were using the maincss.css located under the images directory. When I look the history of these files, following were my findings, The 'maincss.css' file under the 'images' directory exist in release4.0 http://svn.apache.org/repos/asf/ofbiz/branches/release4.0/framework/images/webapp/images/ after this release, this files no longer exist there. 3) Also, I have updated one file 'InventoryNoticeEmail.ftl' and used the basic HTML code to style, instead of using style defined in 'maincss.css' which were exist in release-4.0 4) Updated some references from 'maincss.css' to style.css in comments. 5) Also removed the entry of including '/images/maincss.css' and '/images/mainrtl.css' in SimpleDecorator Since, these files no longer exist after release-4.0.

Thanks Wai for reviewing the work and thanks Swapnil M Mane for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1758389 13f79535-47bb-0310-9956-ffa450edef68

  1. … 20 more files in changeset.
(OFBIZ-6274) Renamed OFBiz artefacts from org.ofbiz.* to org.apache.ofbiz.*.Thanks to Taher for working on it.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1752920 13f79535-47bb-0310-9956-ffa450edef68

  1. … 635 more files in changeset.
Fixes a "typo" in last commit for "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

We used targetNamespace (should only be used in schema) instead of xsi:schemaLocation

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749634 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

This is the 2nd step: puts back the original names, so it will be transparent for remaining references in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749489 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061 by replacing xsd files references in xml files by -ns.xsd files and removing the concerned xsd files

This is a 1st step, in a 2nd I will put back the original names, so it will be transparent for remaining reference in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749488 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Temporary fix for "UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd]" - https://issues.apache.org/jira/browse/OFBIZ-6807

As suggested by Deepak keeps only <<web-app version="3.0">> in web.xml files instead of whole xmlns and schemaLocation.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1726388 13f79535-47bb-0310-9956-ffa450edef68

  1. … 26 more files in changeset.
OFBIZ-(6655) Add session tracking mode and make cookie secure for all special purpose component. Also updated the web-app version for web.xml files.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1724940 13f79535-47bb-0310-9956-ffa450edef68

  1. … 18 more files in changeset.
[OFBIZ-6171] Applied patch from Pierre Smits for replacing 'Open for Business' references with 'Apache OFBiz'.Thanks Pierre for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1706589 13f79535-47bb-0310-9956-ffa450edef68

  1. … 64 more files in changeset.
Reorganized the screen widget src folder so classes are more organized.

This commit might break some Groovy scripts. There seemed to be a lot of C&P widget import statements, but there were no widget classes being used in the script, so I removed them. I might have overlooked something though.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1652852 13f79535-47bb-0310-9956-ffa450edef68

  1. … 27 more files in changeset.