ofbiz

Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates

Changeset 1866971 is being indexed.

Improved: Don't exclude properties and labels file from the Jar

(OFBIZ-11161)

In order to have an independent deployable jar, we need to include the

properties and labels inside the jar.

The properties and labels file was previously excluded from the jar

because it was not possible to replace the compile time values by

invalidating OFBiz caches which is convenient when developing

OFBiz. It was then necessary to reconstruct the jar and restart

OFBiz (See OFBIZ-8321 for more details).

With the recent improvment from revision 1865719 allowing to run OFBiz

without building a jar, it is now possible to enable this cache

invalidation by running both ‘gradle run’ in one shell and ‘gradlew

--continuous classes’ in a separate shell. Doing so make the

combination of editing the label files and clearing the caches use

the new value defined in the source file.

Fixed: Fix Default or Empty Catch block in Java and Groovy files

(OFBIZ-)

In many Java and Groovy files we have auto generated catch blocks or empty catch

blocks.

To avoid such exception swallowing this should be improved to at least log the

error and also return error in case of service.

Last ones :)

Fixed: Fix Default or Empty Catch block in Java and Groovy files

(OFBIZ-)

In many Java and Groovy files we have auto generated catch blocks or empty catch

blocks.

To avoid such exception swallowing this should be improved to at least log the

error and also return error in case of service.

Here we use 3 try-with-ressource blocks and log some errors

Fixed: Fix Default or Empty Catch block in Java and Groovy files

(OFBIZ-)

In many Java and Groovy files we have auto generated catch blocks or empty catch

blocks.

To avoid such exception swallowing this should be improved to at least log the

error and also return error in case of service.

Here we use a try-with-ressource block and log some errors

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

Copy manually all files from trunk because of weird conflicts

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

Copy manually all files from trunk because of weird conflicts

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

Copy manually all files from trunk because of weird conflicts

Improved: Document how to store the JWT secret key

(OFBIZ-10751)

Adds a link to OWASP documentation

Improved: Refactor boolean returns from methods

(OFBIZ-10725)

Stumbled upon it by chance, a last one

Improved: Refactor boolean returns from methods

(OFBIZ-10725)

Reverts mistakes made in previous commit

Improved: Refactor boolean returns from methods

(OFBIZ-10725)

Stumbled upon it by chance, here are few changes

Improved: no functional change

In my previous commit I forgot I used FileUtile::normalizePath (old name

of now normalizeFilePath) in FileUtile::getFile. This is useless, and reverted

here

Improved: no functional change

While working on OFBIZ-11196,I renamed the normalizePath() method in FileUtil

class to createFileWithNormalizedPath() and added the normalizeFilePath()

method which deals only with String (in -> out), could be useful later...

"Applied fix from trunk framework for revision: 1866920"

------------------------------------------------------------------------

r1866920 | jleroux | 2019-09-14 10:19:18 +0200 (sam. 14 sept. 2019) | 18 lignes

Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile

(OFBIZ-11196)

These are not really path traversal issues.

We can't solve them using the traditional way to fix path traversal issues

(ie normalising path). Because Fetchlogs and ViewFile are actually reading

files and if you have the right to read these files then nothing will prevent

you to read them.

The problem is more what those requests are supposed to do.

Fetchlogs is supposed to read a log in the log dir

and ViewFile is supposed to read a file containing labels

(ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to

do. This is what is done in ViewFile and FetLogs Groovy files.

------------------------------------------------------------------------

?\026

"Applied fix from trunk for revision: 1866920"

------------------------------------------------------------------------

r1866920 | jleroux | 2019-09-14 10:19:18 +0200 (sam. 14 sept. 2019) | 18 lignes

Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile

(OFBIZ-11196)

These are not really path traversal issues.

We can't solve them using the traditional way to fix path traversal issues

(ie normalising path). Because Fetchlogs and ViewFile are actually reading

files and if you have the right to read these files then nothing will prevent

you to read them.

The problem is more what those requests are supposed to do.

Fetchlogs is supposed to read a log in the log dir

and ViewFile is supposed to read a file containing labels

(ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to

do. This is what is done in ViewFile and FetLogs Groovy files.

------------------------------------------------------------------------

"Applied fix from trunk for revision: 1866920"

------------------------------------------------------------------------

r1866920 | jleroux | 2019-09-14 10:19:18 +0200 (sam. 14 sept. 2019) | 18 lignes

Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile

(OFBIZ-11196)

These are not really path traversal issues.

We can't solve them using the traditional way to fix path traversal issues

(ie normalising path). Because Fetchlogs and ViewFile are actually reading

files and if you have the right to read these files then nothing will prevent

you to read them.

The problem is more what those requests are supposed to do.

Fetchlogs is supposed to read a log in the log dir

and ViewFile is supposed to read a file containing labels

(ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to

do. This is what is done in ViewFile and FetLogs Groovy files.

------------------------------------------------------------------------

Fixed: Path Traversal in webtools/control/FetchLogs and ViewFile

(OFBIZ-11196)

These are not really path traversal issues.

We can't solve them using the traditional way to fix path traversal issues

(ie normalising path). Because Fetchlogs and ViewFile are actually reading

files and if you have the right to read these files then nothing will prevent

you to read them.

The problem is more what those requests are supposed to do.

Fetchlogs is supposed to read a log in the log dir

and ViewFile is supposed to read a file containing labels

(ie either an XML or Properties file).

So the solution is to allow these requests to only do what they are supposed to

do. This is what is done in ViewFile and FetLogs Groovy files.

"Applied fix from trunk framework for revision: 1866890"

------------------------------------------------------------------------

r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes

Improved: FindArInvoices request needs performance improvement regarding use of

EntityListIterator::hasNext method

(OFBIZ-11198)

FindAPInvoices request does not suffer from this issue nor findInvoice request.

This was due to <screen name="FindArInvoices"> definition

Using something similar than <screen name="FindApInvoices"> fixes the issue

------------------------------------------------------------------------

?\026

"Applied fix from trunk for revision: 1866890"

------------------------------------------------------------------------

r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes

Improved: FindArInvoices request needs performance improvement regarding use of

EntityListIterator::hasNext method

(OFBIZ-11198)

FindAPInvoices request does not suffer from this issue nor findInvoice request.

This was due to <screen name="FindArInvoices"> definition

Using something similar than <screen name="FindApInvoices"> fixes the issue

------------------------------------------------------------------------

"Applied fix from trunk for revision: 1866890"

------------------------------------------------------------------------

r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes

Improved: FindArInvoices request needs performance improvement regarding use of

EntityListIterator::hasNext method

(OFBIZ-11198)

FindAPInvoices request does not suffer from this issue nor findInvoice request.

This was due to <screen name="FindArInvoices"> definition

Using something similar than <screen name="FindApInvoices"> fixes the issue

------------------------------------------------------------------------

Improved: FindArInvoices request needs performance improvement regarding use of

EntityListIterator::hasNext method

(OFBIZ-11198)

FindAPInvoices request does not suffer from this issue nor findInvoice request.

This was due to <screen name="FindArInvoices"> definition

Using something similar than <screen name="FindApInvoices"> fixes the issue

Improved:

Please use HTTPS for KEYS, sigs and hashes (OFBIZ-11193)

Fixes typos

Thanks: Sebb (Sebastian Bazley)

Improved: Unknown request [d.png]; this request does not exist or cannot be

called directly.

(OFBIZ-11199)

I suppose this issue is similar to OFBIZ-11152. So I'm handling it the same.

It's not an end to the underneath issue but at least it can reassure user about

things being handled...

Improved:

Please use HTTPS for KEYS, sigs and hashes (OFBIZ-11193)

Download page must provide verification instructions (OFBIZ-11194)

Thanks: Sebb (Sebastian Bazley)

"Applied fix from trunk framework for revision: 1866834"

------------------------------------------------------------------------

r1866834 | jleroux | 2019-09-12 09:49:41 +0200 (jeu. 12 sept. 2019) | 8 lignes

Improved: Improve ObjectInputStream class

(OFBIZ-10837)

Allows users to easily override the list of accepted objects by using the

listOfSafeObjectsForInputStream property

CVE-2019-0189

------------------------------------------------------------------------

?\026

"Applied fix from trunk for revision: 1866834"

------------------------------------------------------------------------

r1866834 | jleroux | 2019-09-12 09:49:41 +0200 (jeu. 12 sept. 2019) | 8 lignes

Improved: Improve ObjectInputStream class

(OFBIZ-10837)

Allows users to easily override the list of accepted objects by using the

listOfSafeObjectsForInputStream property

CVE-2019-0189

------------------------------------------------------------------------

"Applied fix from trunk for revision: 1866834"

------------------------------------------------------------------------

r1866834 | jleroux | 2019-09-12 09:49:41 +0200 (jeu. 12 sept. 2019) | 8 lignes

Improved: Improve ObjectInputStream class

(OFBIZ-10837)

Allows users to easily override the list of accepted objects by using the

listOfSafeObjectsForInputStream property

CVE-2019-0189

------------------------------------------------------------------------

Improved: Improve ObjectInputStream class

(OFBIZ-10837)

Allows users to easily override the list of accepted objects by using the

listOfSafeObjectsForInputStream property

CVE-2019-0189

Improved: Remove redundant type declarations

Updated information about vulnerabilities fixed by 16.11.06.