Clone Tools
  • last updated 17 mins ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

(cherry picked from commit 1158664ba37264fa6b8429033bad768175ff10d5)

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

  1. … 25 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 25 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1851073 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1851072 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 22 more files in changeset.
Improved: Replace request-redirect w/ no redirect-param attribute by request-redirect-no-param (OFBIZ-9997)

There was a typo in r1816180 , this fixes it and adds plugins part

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1816183 13f79535-47bb-0310-9956-ffa450edef68

  1. … 3 more files in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 24 more files in changeset.
Implemented: removed the "controller" related logic, that is now provided by the new ControlFilter, from the ContextFilter; modified existing applications to use the two filters in a chain; removed from the other specialized filters all the logic that was duplicated or extended from ContextFilter.

A web application, in order to leverage the OFBiz framework, requires that a

series of objects are in its contexts (servlet context, session and request)

such as "delegator", "delegatorName", "dispatcher", "security" etc. etc...

This setup is performed by the logic contained in the servlet filter implemented

by the ContextFilter class.

The execution of this logic is required for the application to run properly.

However, before this commit, in the ContextFilter there was other logic, related

to access control and redirection rules (some of them performed in coordination

with the ControlServlet), making it difficult to deploy this filter in all the

web applications, especially the ones that implement special handling of paths.

In fact, this filter was deployed in most but not all the web application in the

OFBiz codebase: specifically it was not deployed in web applications that

require the execution of other filters (e.g. CatalogUrlFilter, etc...) like the

ones in the "ecommerce" and "solr" components.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1761304 13f79535-47bb-0310-9956-ffa450edef68

  1. … 25 more files in changeset.
[OFBIZ-7311] - Applied the patch from the ticket. Removing the unused references of the maincss.css from source code, following is done- 1) Removed 'maincss.css' entry from 'allowedPaths' param of from web.xml Reason: Since, there is no file like 'maincss.css' exist under any includes directory. 2) Removed the unused references of maincss.css from FTLs, code <link rel="stylesheet" href="${StringUtil.wrapString(baseUrl!)}/images/maincss.css" type="text/css"/> has been removed. Reason: This is an interesting thing, these FTLs were using the maincss.css located under the images directory. When I look the history of these files, following were my findings, The 'maincss.css' file under the 'images' directory exist in release4.0 http://svn.apache.org/repos/asf/ofbiz/branches/release4.0/framework/images/webapp/images/ after this release, this files no longer exist there. 3) Also, I have updated one file 'InventoryNoticeEmail.ftl' and used the basic HTML code to style, instead of using style defined in 'maincss.css' which were exist in release-4.0 4) Updated some references from 'maincss.css' to style.css in comments. 5) Also removed the entry of including '/images/maincss.css' and '/images/mainrtl.css' in SimpleDecorator Since, these files no longer exist after release-4.0.

Thanks Wai for reviewing the work and thanks Swapnil M Mane for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1758389 13f79535-47bb-0310-9956-ffa450edef68

  1. … 20 more files in changeset.
(OFBIZ-7674) Applied patch from jira issue ================================ Unable to perform search at "eBay Orders Import" screen of eBay component ================================ Thanks Pawan for your contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1758017 13f79535-47bb-0310-9956-ffa450edef68

  1. … 1 more file in changeset.
(OFBIZ-6274) Renamed OFBiz artefacts from org.ofbiz.* to org.apache.ofbiz.*.Thanks to Taher for working on it.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1752920 13f79535-47bb-0310-9956-ffa450edef68

    • -15
    • +15
    ./ebaystore/WEB-INF/controller.xml
  1. … 635 more files in changeset.
Fixes a "typo" in last commit for "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

We used targetNamespace (should only be used in schema) instead of xsi:schemaLocation

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749634 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061

This is the 2nd step: puts back the original names, so it will be transparent for remaining references in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749489 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
Completes and finish "Autocompletion for Compound Widget" - https://issues.apache.org/jira/browse/OFBIZ-7061 by replacing xsd files references in xml files by -ns.xsd files and removing the concerned xsd files

This is a 1st step, in a 2nd I will put back the original names, so it will be transparent for remaining reference in xml catalogs, Java code, etc.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1749488 13f79535-47bb-0310-9956-ffa450edef68

  1. … 222 more files in changeset.
(OFBIZ-7236) Relocate .groovy files in the specialpurpose/ebaystore component

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1747785 13f79535-47bb-0310-9956-ffa450edef68

  1. … 17 more files in changeset.
A big but straightforward commit for "Move minilang scripts from component://componentname/script/org/ofbiz to component://componentname/minilang" - https://issues.apache.org/jira/browse/OFBIZ-7267

I removed duplicate paths were componentname was uselessly repeated after component://componentname/script/org/ofbiz (projectmngr was the only one using there project instead)

I had few typos, easily fixed thanks to the tests. There could be still typos but they are unexpected and anyway no-brainer to fix

I'm still wondering about specialpurpose/example/minilang/README.txt.

I changed its content to

"The minilang directory is for static resources that are interpreted at run time rather than being compiled. This goes on the classpath, but does not get built or put into a JAR file."

not sure it makes any sense, I don't see how this relates to the classpath.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1747712 13f79535-47bb-0310-9956-ffa450edef68

    • -10
    • +10
    ./ebaystore/WEB-INF/controller.xml
  1. … 118 more files in changeset.
(OFBIZ-6829) relocate .ftl files in the specialpurpose/ebaystore component

Thanks Pierre for your contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1740504 13f79535-47bb-0310-9956-ffa450edef68

    • -538
    • +0
    ./ebaystore/feedback/LeaveFeedback.ftl
    • -481
    • +0
    ./ebaystore/store/StoreSetting.ftl
    • -142
    • +0
    ./ebaystore/store/ebayApiKeywordSearch.ftl
    • -131
    • +0
    ./ebaystore/store/orderImported.ftl
    • -827
    • +0
    ./ebaystore/store/productsearchExport.ftl
    • -154
    • +0
    ./ebaystore/store/returnPolicy.ftl
  1. … 9 more files in changeset.
Temporary fix for "UtilXml.LocalResolver.resolveEntity] could not find LOCAL DTD/Schema with publicId [null] and the file/resource is [web-app_3_0.xsd]" - https://issues.apache.org/jira/browse/OFBIZ-6807

As suggested by Deepak keeps only <<web-app version="3.0">> in web.xml files instead of whole xmlns and schemaLocation.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1726388 13f79535-47bb-0310-9956-ffa450edef68

  1. … 26 more files in changeset.
OFBIZ-(6655) Add session tracking mode and make cookie secure for all special purpose component. Also updated the web-app version for web.xml files.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1724940 13f79535-47bb-0310-9956-ffa450edef68

  1. … 18 more files in changeset.
[OFBIZ-6171] Applied patch from Pierre Smits for replacing 'Open for Business' references with 'Apache OFBiz'.Thanks Pierre for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1706589 13f79535-47bb-0310-9956-ffa450edef68

  1. … 64 more files in changeset.
I found a possible XSS attack through ProductContentWrapper.java.getProductContentAsText() which is notably used in several FTL files. This exists also in others *ContentWrapper.java. Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB.

This fixes it by changing the ContentWrapper interface

from

public interface ContentWrapper {

public StringUtil.StringWrapper get(String contentTypeId);

}

to

public interface ContentWrapper {

public StringUtil.StringWrapper get(String contentTypeId, String encoderType) {

}

And changing the Category, Party, Product, ProductPromo and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url".

The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType.

It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc.

It seems a big change but it's straightforward. It's normally complete.

There are some (unrelated) tabs replaced by spaces here and there, and few trailing spaces removed but nothing big

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1705329 13f79535-47bb-0310-9956-ffa450edef68

    • -1
    • +1
    ./ebaystore/store/productsearchExport.ftl
  1. … 16 more files in changeset.
Convert javolution FastMap, FastSet and FastList by standard java.util.* Related to OFBIZ-5781 Convert Javolution collections into Java collections Thanks to Deepak Dixit and Adrian Crum for their help.

By defautl converted :

* FastMap by HashMap

* FastList by LinkedList

* FastSet by HashSet

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1672752 13f79535-47bb-0310-9956-ffa450edef68

  1. … 86 more files in changeset.
Applied two patch files from jira issue - OFBIZ-5893 - Use EntityQuery Builder methods in goovy files by replacing Entity Engine methods. Thanks Arun for your recent contribution where you have included changes from specialpurpose and product component.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1647937 13f79535-47bb-0310-9956-ffa450edef68

  1. … 88 more files in changeset.
Applied patch from jira issue - OFBIZ-5892 - Replace all occurences of dispatcher.runSync in groovy files with runService() of DSL. Thanks Arun for the contribution.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1646167 13f79535-47bb-0310-9956-ffa450edef68

  1. … 21 more files in changeset.
Merged json-integration-refactoring into trunk: * moved the json-lib jar (json-lib-2.2.3-jdk15.jar) from the framework/webapp to the framework/base component * removed the SQL select Parser.jj (parser definition) and its unit tests: it was not used (and never used) by any OFBiz code * removed the JSON.jj (parser definition) and its unit tests: it was not used (and never used) by any OFBiz code apart from the JSON Converters (now migrated to json-lib, see next items in this list) some utility methods in UtilIO.java (that have been removed too because they have never been used in OFBiz) * removed the JavaCC jar and related ant scripts because no more needed after the removal of Parser.jj and JSON.jj * converted the JSONConverter code that was based on JSON.jj to Jackson * added a new class org.ofbiz.base.lang.JSON that have been contributed by Adrian Crum that is a facade for simplifying the client code and for hiding the specific JSON library being used * removed an unused method: ImageManagementServices.toJsonObject(...) * added TestBooleanConverters to the list of tests * new unit tests for the new JSON converters * refactored Ajax code in applications to use the common request json response rather than a custom method * OFBIZ-5790 Implemented ability to call a service event by passing its input parameters in the request body as JSON data. These classes provide a simple mechanism, based on the request's content type, that can be extended to support other formats (e.g. XML).

This commit resolves OFBIZ-4572, OFBIZ-3365, OFBIZ-5751, OFBIZ-5790

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1635901 13f79535-47bb-0310-9956-ffa450edef68

    • -4
    • +4
    ./ebaystore/store/productsearchExport.ftl
  1. … 1 more file in changeset.
Fixes a bug introduced with commits for OFBIZ-4902. When you replace the Freemarker if_exists built-in with the ! operator, when the ! is followed by a + you need to evaluate the expression conditioned by the ! 1st. Else the following chars are used as default value. In other words, you need to put parenthesis around the expression including the ! operator I tested with tomahawk/includes/appbarClose.ftl and header.ftl files of bluelight and droppingcrumbs themes I then applied the same scheme on catalog/categorydetail.ftl, party/editShoppingList.ftl, ebaystore/store/returnPolicy.ftl and party/findparty.ftl w/o testing. I guess it's ok I did not find the same scheme elsewhere

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1624876 13f79535-47bb-0310-9956-ffa450edef68