build.gradle

(OFBIZ-11257)

With a recent OpenJDK release we had the following error

```

> Task :javadoc

javadoc: error - The code being documented uses modules but the packages defined in https://docs.oracle.com/javase/8/docs/api/ are in the unnamed module.

javadoc: error - The code being documented uses modules but the

packages defined in https://docs.oracle.com/javaee/7/api/ are in the

unnamed module.

[...]

2 errors

100 warnings

> Task :javadoc FAILED

```

With ‘javadoc --source 8’ this error disappears as described in

JDK-8212233 [1].

[1] https://bugs.openjdk.java.net/browse/JDK-8212233

(including admin) via 'Forget Your Password'

(OFBIZ-4361)

Trunk backport r1866478 and r1866518

Currently, any user (via ecommerce 'Forget Your Password') has the ability to

reset another users password, including 'admin' without permission.

By simply entering 'admin' and clicking 'Email Password', the following is

displayed:

The following occurred:

A new password has been created and sent to you. Please check your Email.

This now forces the user of the ERP to change their password.

It is also possible to generate a dictionary attack against ofbiz because there

is no capta code required. This is serious security risk.

I have modified the patch following comments I made in the Jira, notably

Removed unused Java variables

Removed a check in LoginEvents::forgotPassword which prevented to show error

messages

Changed fr and en SecurityExtPasswordSentToYou

+ SecurityExtThisEmailIsInResponseToYourRequestToHave labels

+ template PasswordEmail.ftl

+ loginservices.token_incorrect labels

Added fr and en SecurityExtIgnoreEmail + SecurityExtLinkOnce labels

Removed changes in general.properties

I did not remove the 2 GetSecurityQuestion.ftl files (webpos one was still in)

There is still room for improvement. I'll discuss them on the Jira and dev

ML. But this version is already strong enough to not wait that the patch is

inapplicable!

Thanks: mz4wheeler (Mike Z) for the Jira, Nicolas Malin for the patch, I guess

with some Gil's help, and all others for comments and ideas

===

Improved: Removed old pattern directory for groovy scripts.

(OFBIZ-10903)

Thanks Deepak Dixit for reporting.

------------------------------------------------------------------------

r1860357 | jleroux | 2019-05-29 18:29:31 +0200 (mer. 29 mai 2019) | 14 lignes

Fixed: Gradle eclipse task - classpath modification (Add exclusion for

<OFBiz>/framework/base/config and <OFBiz>/framework/base/dtd)

(OFBIZ-11071)

Eclipse task removes all classpath entries that affects following entries also -

* <OFBiz>/framework/base/config

* <OFBiz>/framework/base/dtd

These two entries are essential to start OFBiz successfully.

Developer has to manually add these entries back to start OFBiz from IDE.

Following this discussion: https://s.apache.org/baoT

Thanks: Girish Vasmatkar

------------------------------------------------------------------------

------------------------------------------------------------------------

r1859968 | jleroux | 2019-05-25 15:25:34 +0200 (sam. 25 mai 2019) | 16 lignes

Fixed: Services allow arbitrary HTML for parameters with allow-html set to "safe"

(OFBIZ-5254)

The testCreateNewRequest was failing due to escaped single quotes in related

data in OrderTypeData.xml:

subject="OFBiz - Your Request is received: '${custRequestName}' #CR${custRequestId}"

This was a peculiar case that could be generalised to all escapable characters.

The general solution is to compare the original value with the filtered value

unescaped in UtilCodec::checkStringForHtmlSafe.

BTW, weirdly enough StringEscapeUtils::escapeHtml4 does not escape single quote.

Another weirdness is the test was passing with plugins data loaded. This is due

to duplicated demo data in scrumTypeData.xml (which is actually not only type

data, as ever the scrum component is a mess, that's not new and always wonder

if we should not get rid of it!)

------------------------------------------------------------------------

(OFBIZ-10920)

CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

Apache Tomcat 9.0.0.M1 to 9.0.17

Apache Tomcat 8.5.0 to 8.5.39

Apache Tomcat 7.0.0 to 7.0.93

Description:

When running on Windows with enableCmdLineArguments enabled, the CGI

Servlet is vulnerable to Remote Code Execution due to a bug in the way

the JRE passes command line arguments to Windows. The CGI Servlet is

disabled by default. The CGI option enableCmdLineArguments is disabled

by default in Tomcat 9.0.x (and will be disabled by default in all

versions in response to this vulnerability). For a detailed explanation

of the JRE behaviour, see Markus Wulftange's blog [1] and this archived

MSDN blog [2].

Mitigation:

Users of affected versions should apply one of the following mitigations:

- Ensure the CGI Servlet initialisation parameter enableCmdLineArguments

is set to false

- Upgrade to Apache Tomcat 9.0.18 or later when released

- Upgrade to Apache Tomcat 8.5.40 or later when released

- Upgrade to Apache Tomcat 7.0.93 or later when released

This announcement is being made before the releases are available as the

change to fix this issue is obviously security related.

Credit:

This issue was identified by an external security researcher and

reported to the Apache Tomcat security team via the bug bounty program

sponsored by the EU FOSSA-2 project.

jleroux: actually Tomcat 9.0.19 was released, here it is

(OFBIZ-10693)

Reverts 1857431, better stay as is. It works in trunk but not here.

------------------------------------------------------------------------

r1856212 | jleroux | 2019-03-25 18:47:52 +0100 (lun. 25 mars 2019) | 9 lignes

Fixed: Update Tomcat to 9.0.16 due to CVE-2019-0199

(OFBIZ-10873)

The HTTP/2 implementation accepted streams with excessive numbers of

SETTINGS frames and also permitted clients to keep streams open without

reading/writing request/response data. By keeping streams open for

requests that utilised the Servlet API's blocking I/O, clients were able

to cause server-side threads to block eventually leading to thread

exhaustion and a DoS.

------------------------------------------------------------------------

===

Improved: Added line separator while while generating svn/git info footer.

===

Preparation for JDK11 update, Updated following code to fix warning with respect to JDK11

- Replaced Class::newInstance occurrences

- Removed deprecated override method Object::finalize

(OFBIZ-10757)

===

Fixed: Upgrade Apache Tika to 1.20 (CVE-2018-8017/CVE-2018-17197)

In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.

A carefully crafted or corrupt sqlite file can cause an infinite loop in Apache Tika's SQLite3Parser in versions 1.8-1.19.1 of Apache Tika.

------------------------------------------------------------------------

r1850647 | jleroux | 2019-01-07 15:46:50 +0100 (lun. 07 janv. 2019) | 11 lignes

Improved: Update Apache commons-fileupload to last version

(OFBIZ-10770)

This is an easy doing, we just need to add

compile 'commons-fileupload:commons-fileupload:1.3-3'

to the build.gradle file.

So far the dependency was not given directly but by other dependencies

------------------------------------------------------------------------