Clone Tools
  • last updated a few minutes ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Improved: Use Error.ftl everywhere it's not yet used (OFBIZ-11890)

Removes all error*.jsp reference, no longer used

  1. … 20 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 19 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 19 more files in changeset.
Fixed: Ensure that the SameSite attribute is set to 'strict' for all cookies.

(OFBIZ-11470)

As reported by OWASP ZAP:

A cookie has been set without the SameSite attribute, which means that the

cookie can be sent as a result of a 'cross-site' request. The SameSite attribute

is an effective counter measure to cross-site request forgery, cross-site script

inclusion, and timing attacks.

The solution was not obvious in OFBiz for 2 reasons:

1. There is no HttpServletResponse::setHeader. So we need to use a filter

(SameSiteFilter) and even that is not enough because of 2:

2. To prevent session fixation we force Tomcat to generates a new jsessionId,

ultimately put in cookie, in LoginWorker::login. So we need to add a call to

SameSiteFilter::addSameSiteCookieAttribute in

UtilHttp::setResponseBrowserDefaultSecurityHeaders.

  1. … 19 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

(cherry picked from commit 1158664ba37264fa6b8429033bad768175ff10d5)

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

  1. … 24 more files in changeset.
Fixed: Add XML declaration in “web.xml” files (OFBIZ-6993)

These declarations avoid SAXParseException traceback when parsing web.xml

the first time in WebappUtil.parseWebXmlFile

A schema conformance issue has been fixed in ecommerce “web.xml”.

# Conflicts handled by hand

# msggateway/webapp/msggateway/WEB-INF/web.xml

  1. … 24 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release18.12@1851073 13f79535-47bb-0310-9956-ffa450edef68

  1. … 21 more files in changeset.
"Applied fix from plugins for revision: 1851068 " ------------------------------------------------------------------------ r1851068 | jleroux | 2019-01-11 17:12:01 +0100 (ven. 11 janv. 2019) | 12 lignes

Fixed: Add session tracking mode and make cookie secure

(OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

------------------------------------------------------------------------

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/branches/release17.12@1851072 13f79535-47bb-0310-9956-ffa450edef68

  1. … 21 more files in changeset.
Fixed: Add session tracking mode and make cookie secure (OFBIZ-6655)

Following "Session timeout for webapps" discussion on dev ML

https://markmail.org/message/p6fbiojjrwb2ybxd

We decided to put back the session-timeout value in web.xml files and to remove

the line

session.setMaxInactiveInterval(60*60); //in seconds

from ControlEventListener.java

Thanks: Deepak Nigam for report and Girish Vasmatkar for discussion

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1851068 13f79535-47bb-0310-9956-ffa450edef68

  1. … 21 more files in changeset.
Improved: Add session tracking mode and make cookie secure (OFBIZ-6655)

Programmatically replaces the web.xml <session-config> declarations and uses

the @WebListener annotation to start the process. This avoid to duplicates

things everywhere in web.xml files. Since the web.xml files have precedence

on annotations, the setting can be easily overridden when necessary.

Now that we also use HTTPS in ecommerce the ecommerce session cookie is

also secured.

I also noted that we had 8 weird <session-timeout> declarations:

in solr component: <session-timeout>2</session-timeout>

in themes: <session-timeout>1</session-timeout>

Also in Rainbowstone we lacked the <cookie-config> and <tracking-mode>

declarations. I think it's not good.

I resolve these points by simply removing the <session-config> in web.xml files

of themes and Solr.

Thanks: Pradhan Yash Sharma for review

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1811041 13f79535-47bb-0310-9956-ffa450edef68

  1. … 23 more files in changeset.
Fixed: Consistency and Readability improvements for view-map tag (OFBIZ-9110) Consistency on the attribute order for view-map element as : name, type, page Thanks to Ankush Upadhyay and Devanshu Vyas for the issue and the corrective patch

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1805891 13f79535-47bb-0310-9956-ffa450edef68

  1. … 3 more files in changeset.
Improved: Add a PriCat component under specialpurpose (OFBIZ-9123)

Moved pricat/webapp/pricat/ftl to pricat/template/pricat, pricat/webapp/pricatdemo/ftl to pricat/template/pricatdemo, and changed paths in files accordingly.

Thanks Jacques, Pierre and Michael for the code review and suggestion on this improvement.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk@1788744 13f79535-47bb-0310-9956-ffa450edef68

    • -109
    • +0
    ./pricat/ftl/ExcelImportHistoryReport.ftl
    • -31
    • +0
    ./pricat/ftl/viewExcelImportHistory.ftl
    • -39
    • +0
    ./pricat/ftl/viewExcelImportLog.ftl
    • -21
    • +0
    ./pricatdemo/ftl/countdownreport.ftl
    • -21
    • +0
    ./pricatdemo/ftl/parsePricatExcel.ftl
  1. … 14 more files in changeset.
No functional changes

completes r1781219 by putting svn:eol-style=native to all file types declared

in [auto-props] section of the svn config files.css

Actually this is only a 1st pass, it was too complicated to do it for

all file types at once only concerned here

*.java;*.bsh;*.groovy;*.jsp;*.tld;*.ftl;*.js;*.sql;*.c;*.cpp;*.h;*.txt;*.sgml;

*.properties;*.xml;.classpath;.project;*.sld;*.gml;*.xsl;*.xsd

*.html;*.htm;*.css;*.md;README;NOTICE;LICENSE;rc.ofbiz.*;*.less;*.dsp;*.dsw

Most files should not be concerned by this change, but it's impossible to do

it one by one.

There are also changes in files with have mixed EOLs; because this has no sense

when using native which automatically resolves this issue

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/plugins@1781731 13f79535-47bb-0310-9956-ffa450edef68

    • -108
    • +108
    ./pricat/ftl/ExcelImportHistoryReport.ftl
    • -30
    • +30
    ./pricat/ftl/viewExcelImportHistory.ftl
    • -39
    • +39
    ./pricat/ftl/viewExcelImportLog.ftl
  1. … 149 more files in changeset.
OFBIZ-9123 Add a PriCat component under specialpurpose

1. Add a readme.

2. Replace tabs with spaces.

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1770979 13f79535-47bb-0310-9956-ffa450edef68

    • -75
    • +75
    ./pricat/ftl/ExcelImportHistoryReport.ftl
    • -194
    • +194
    ./pricat/ftl/pricatreport.ftl
    • -11
    • +11
    ./pricat/ftl/viewExcelImportHistory.ftl
    • -12
    • +12
    ./pricat/ftl/viewExcelImportLog.ftl
  1. … 22 more files in changeset.
OFBIZ-9123 Add a PriCat component under specialpurpose

git-svn-id: https://svn.apache.org/repos/asf/ofbiz/trunk/specialpurpose@1770621 13f79535-47bb-0310-9956-ffa450edef68

    • -0
    • +48
    ./pricat/WEB-INF/controller.xml
    • -0
    • +100
    ./pricat/WEB-INF/web.xml
    • -0
    • +52
    ./pricat/error/error.jsp
    • -0
    • +109
    ./pricat/ftl/ExcelImportHistoryReport.ftl
    • -0
    • +529
    ./pricat/ftl/pricatreport.ftl
    • -0
    • +510
    ./pricat/ftl/report.ftl
    • -0
    • +31
    ./pricat/ftl/viewExcelImportHistory.ftl
    • -0
    • +39
    ./pricat/ftl/viewExcelImportLog.ftl
    • -0
    • +255
    ./pricat/includes/pricat.css
    • -0
    • +88
    ./pricatdemo/WEB-INF/controller.xml
    • -0
    • +100
    ./pricatdemo/WEB-INF/web.xml
    • binary
    ./pricatdemo/downloads/SamplePricatTemplate_V1.1.xlsx
    • -0
    • +52
    ./pricatdemo/error/error.jsp
    • -0
    • +52
    ./pricatdemo/ftl/SamplePricat.ftl
  1. … 35 more files in changeset.