Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: POC for CSRF Token

(OFBIZ-11306)

There is no need to change it in common-controller because, apart the ecommerce

application, there are no applications that requires an anonymous flow.

It should be only changed in ecommerce controller.

Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 20 more files in changeset.
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Put back getAssociatedStateList requesdt in ecommerce to auth="false" to allow

the anonymous flow

Thanks: Deepak for spotting an reporting the issue (twice, inadvertently I

removed the complete file, I have no ideas how I did that :/)

    • -0
    • +2008
    ./ecommerce/WEB-INF/controller.xml
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Put back getAssociatedStateList requesdt in ecommerce to auth="false" to allow

the anonymous flow

Thanks: Deepak for spotting an reporting the issue

    • -2008
    • +0
    ./ecommerce/WEB-INF/controller.xml
Improved: "auth" should be true for all the request url used for Application components

(OFBIZ-4956)

Currently there are some URLs present in application components with

auth="false". So anyone can hit these URLs and access these resources without

authorization.

I think all the URLs should be secure with auth="true"

Thanks: Amardeep Singh Jhajj for report and initial fix

Fixed: Unable to remove items from onePageCheckout screen of e-commerce. (OFBIZ-10800)

Thanks Arpit Mor for reporting and Dhaval Wagela for the patch.

  1. … 1 more file in changeset.
Fixed: Unable to remove items from onePageCheckout screen of e-commerce. (OFBIZ-10800)

Thanks Arpit Mor for reporting and Dhaval Wagela for the patch.

  1. … 1 more file in changeset.
Fixed: Unable to remove items from onePageCheckout screen of e-commerce. (OFBIZ-10800)

Thanks Arpit Mor for reporting and Dhaval Wagela for the patch.

  1. … 1 more file in changeset.
Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Fixed: The "stream" request-map in ecommerce and commonext controllers requires authentication (OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"

request-map in commonext controller. And Jacopo to suggest to require

authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in

place, all XSS vulnerabilities w/o authentication will not longer be possible.

Because then all requests shall contains a CSRF token.

Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

No functional change, simply amend the comment

Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

No functional change, simply amend the comment

Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

No functional change, simply amend the comment

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

A vulnerability has been reported to the OFBiz security team. We were able to

quickly and quietly fix it in supported versions, but in the ecommerce component.

To be able to release the 17.12.01 version with this vulnerability fixed we need

to temporarily comment out the "stream" request-map in ecommerce controller.

We will later fix the specific issue in ecommerce to put back the functionnalities

allowed by the "stream" request-map in ecommerce controller.

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

A vulnerability has been reported to the OFBiz security team. We were able to

quickly and quietly fix it in supported versions, but in the ecommerce component.

To be able to release the 17.12.01 version with this vulnerability fixed we need

to temporarily comment out the "stream" request-map in ecommerce controller.

We will later fix the specific issue in ecommerce to put back the functionnalities

allowed by the "stream" request-map in ecommerce controller.

Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348)

A vulnerability has been reported to the OFBiz security team. We were able to

quickly and quietly fix it in supported versions, but in the ecommerce component.

To be able to release the 17.12.01 version with this vulnerability fixed we need

to temporarily comment out the "stream" request-map in ecommerce controller.

We will later fix the specific issue in ecommerce to put back the functionnalities

allowed by the "stream" request-map in ecommerce controller.

Improved: no functional change

This was added for OFBIZ-9198 but was superfluous since the same is already in

the included ecommerce controller

  1. … 1 more file in changeset.
Improved: no functional change

This was added for OFBIZ-9198 but was superfluous since the same is already in

the included ecommerce controller

  1. … 1 more file in changeset.
Improved: no functional change

This was added for OFBIZ-9198 but was superfluous since the same is already in

the included ecommerce controller

  1. … 1 more file in changeset.
Implemented: Cookie Consent In E-Commerce (OFBIZ-11333) The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on their computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.

The EU Cookie Legislation began as a directive from the European Union. Some variation on the policy has since been adopted by all countries within the EU.

The EU Cookie Legislation requires 4 actions from website owners who use cookies:

1. When someone visits your website, you need to let them know that your site uses cookies.

2. You need to provide detailed information regarding how that cookie data will be utilized.

3. You need to provide visitors with some means of accepting or refusing the use of cookies in your site.

4. If they refuse, you need to ensure that cookies will not be placed on their machine.

Used bsgdprcookies plugin to implement the feature. Thanks Deepak Nigam for initiating and providing initial patch. Thanks Deepak Nigam, Pierre Smits, Michael Brohl, Jacques Le Roux and Swapnil M Mane for inputs.

    • -0
    • +1
    ./ecommerce/js/bsgdprcookies/.gitignore
    • -0
    • +21
    ./ecommerce/js/bsgdprcookies/LICENSE
    • -0
    • +139
    ./ecommerce/js/bsgdprcookies/README.MD
    • -0
    • +66
    ./ecommerce/js/bsgdprcookies/demo_advanced.html
    • -0
    • +53
    ./ecommerce/js/bsgdprcookies/demo_simple.html
    • -0
    • +289
    ./ecommerce/js/bsgdprcookies/jquery.bs.gdpr.cookies.js
    • -0
    • +18
    ./ecommerce/js/bsgdprcookies/jquery.bs.gdpr.cookies.min.js
  1. … 3 more files in changeset.
Implemented: Cookie Consent In E-Commerce (OFBIZ-11333) The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on their computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.

The EU Cookie Legislation began as a directive from the European Union. Some variation on the policy has since been adopted by all countries within the EU.

The EU Cookie Legislation requires 4 actions from website owners who use cookies:

1. When someone visits your website, you need to let them know that your site uses cookies.

2. You need to provide detailed information regarding how that cookie data will be utilized.

3. You need to provide visitors with some means of accepting or refusing the use of cookies in your site.

4. If they refuse, you need to ensure that cookies will not be placed on their machine.

Used bsgdprcookies plugin to implement the feature. Thanks Deepak Nigam for initiating and providing initial patch. Thanks Deepak Nigam, Pierre Smits, Michael Brohl, Jacques Le Roux and Swapnil M Mane for inputs.

    • -0
    • +1
    ./ecommerce/js/bsgdprcookies/.gitignore
    • -0
    • +21
    ./ecommerce/js/bsgdprcookies/LICENSE
    • -0
    • +139
    ./ecommerce/js/bsgdprcookies/README.MD
    • -0
    • +66
    ./ecommerce/js/bsgdprcookies/demo_advanced.html
    • -0
    • +53
    ./ecommerce/js/bsgdprcookies/demo_simple.html
    • -0
    • +289
    ./ecommerce/js/bsgdprcookies/jquery.bs.gdpr.cookies.js
    • -0
    • +18
    ./ecommerce/js/bsgdprcookies/jquery.bs.gdpr.cookies.min.js
  1. … 3 more files in changeset.
Implemented: Cookie Consent In E-Commerce (OFBIZ-11333) The Cookie Law is a piece of privacy legislation that requires websites to get consent from visitors to store or retrieve any information on their computer, smartphone or tablet. It was designed to protect online privacy, by making consumers aware of how information about them is collected and used online, and give them a choice to allow it or not.

The EU Cookie Legislation began as a directive from the European Union. Some variation on the policy has since been adopted by all countries within the EU.

The EU Cookie Legislation requires 4 actions from website owners who use cookies:

1. When someone visits your website, you need to let them know that your site uses cookies.

2. You need to provide detailed information regarding how that cookie data will be utilized.

3. You need to provide visitors with some means of accepting or refusing the use of cookies in your site.

4. If they refuse, you need to ensure that cookies will not be placed on their machine.

Used bsgdprcookies plugin to implement the feature. Thanks Deepak Nigam for initiating and providing initial patch. Thanks Deepak Nigam, Pierre Smits, Michael Brohl, Jacques Le Roux and Swapnil M Mane for inputs.

    • -0
    • +1
    ./ecommerce/js/bsgdprcookies/.gitignore
    • -0
    • +21
    ./ecommerce/js/bsgdprcookies/LICENSE
    • -0
    • +139
    ./ecommerce/js/bsgdprcookies/README.MD
    • -0
    • +66
    ./ecommerce/js/bsgdprcookies/demo_advanced.html
    • -0
    • +53
    ./ecommerce/js/bsgdprcookies/demo_simple.html
    • -0
    • +289
    ./ecommerce/js/bsgdprcookies/jquery.bs.gdpr.cookies.js
    • -0
    • +18
    ./ecommerce/js/bsgdprcookies/jquery.bs.gdpr.cookies.min.js
  1. … 3 more files in changeset.
Fixed: User should not be directed to main page after adding product to cart from showcart page (OFBIZ-11223)

Navigate to URL: https://demo-trunk.ofbiz.apache.org/ecomseo/

Click on View Cart at top-right of the page (User will be directed to showcart page)

Enter product number (Eg: GZ-2644)

Enter quantity

Click on add to cart

Product is added to the cart but user is directed to main page of ecommerce.

Thanks: Arpit Mor for report, Sourabh Punyani for the fix

Fixed: User should not be directed to main page after adding product to cart from showcart page (OFBIZ-11223)

Navigate to URL: https://demo-trunk.ofbiz.apache.org/ecomseo/

Click on View Cart at top-right of the page (User will be directed to showcart page)

Enter product number (Eg: GZ-2644)

Enter quantity

Click on add to cart

Product is added to the cart but user is directed to main page of ecommerce.

Thanks: Arpit Mor for report, Sourabh Punyani for the fix

Fixed: User should not be directed to main page after adding product to cart from showcart page (OFBIZ-11223)

Navigate to URL: https://demo-trunk.ofbiz.apache.org/ecomseo/

Click on View Cart at top-right of the page (User will be directed to showcart page)

Enter product number (Eg: GZ-2644)

Enter quantity

Click on add to cart

Product is added to the cart but user is directed to main page of ecommerce.

Thanks: Arpit Mor for report, Sourabh Punyani for the fix

Fixed: Corrected file path for ProcessPaymentSettings.groovy (OFBIZ-11324)

Fixed: Corrected file path for ProcessPaymentSettings.groovy (OFBIZ-11324)