You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2020/07/05 14:50:37 UTC
Error.ftl everywhere
Hi,
While working on OFBIZ-11840 I thought about the solution I used for "[CVE-2020-1943] Apache OFBiz XSS Vulnerability"
So I tried that:
diff --git framework/common/webcommon/WEB-INF/common-controller.xml framework/common/webcommon/WEB-INF/common-controller.xml
index e6f9394cd4..9291cdbece 100644
--- framework/common/webcommon/WEB-INF/common-controller.xml
+++ framework/common/webcommon/WEB-INF/common-controller.xml
@@ -338,7 +338,7 @@ under the License.
<!--========================== AJAX events =====================-->
<!-- View Mappings -->
- <view-map name="error" page="/error/error.jsp"/>
+ <view-map name="error" type="ftl" page="component://common/webcommon/error/Error.ftl"/>
<view-map name="main" type="none"/>
<view-map name="login" type="screen" page="component://common/widget/CommonScreens.xml#login"/>
<view-map name="impersonated" type="screen" page="component://common/widget/CommonScreens.xml#impersonated"/>
diff --git framework/common/webcommon/WEB-INF/handlers-controller.xml framework/common/webcommon/WEB-INF/handlers-controller.xml
index be21b19fd9..1622d10ead 100644
--- framework/common/webcommon/WEB-INF/handlers-controller.xml
+++ framework/common/webcommon/WEB-INF/handlers-controller.xml
@@ -42,4 +42,5 @@ under the License.
<handler name="screenfop" type="view" class="org.apache.ofbiz.widget.renderer.fo.ScreenFopViewHandler"/>
<handler name="jsp" type="view" class="org.apache.ofbiz.webapp.view.JspViewHandler"/>
<handler name="http" type="view" class="org.apache.ofbiz.webapp.view.HttpViewHandler"/>
+ <handler name="ftl" type="view" class="org.apache.ofbiz.webapp.ftl.FreeMarkerViewHandler"/>
</site-conf>
It does not fix the OFBIZ-11840 issue but it works. I mean it correctly replaces error.jsp by error.ftl.
Few questions:
1. Why having the ftl handlers only in webtools controller? BTW it makes the XSD documentation awkward because it speaks about the ftl handlers being
in handlers-controller.xml
2. Why not using error.ftl in common-controller.xml instead of error.jsp?
3. Same question for plugins.
I believe we could change all that and definitely get rid of error.jsp (error.ftl is already in all supported releases branches)
What do you think?
Jacques
Re: Error.ftl everywhere
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 16/07/2020 à 17:20, Jacques Le Roux a écrit :
>
> Then it makes sense to remove RequestHandler::getDefaultErrorPage and its only reference in ControlServlet::handle (since nothing exists in web.xml
> files)
I rather made error.ftl the new default
Done
Jacques
Re: Error.ftl everywhere
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Nicolas, All,
Last effort: I think we should now get rid of all error.jsp, error403.jsp and error404.jsp files and all references to these.
It's easy to remove commented out <error-page> references from 3 web.xml files (marketing, partymgr and workeffort). We are sure they are not used.
Then it makes sense to remove RequestHandler::getDefaultErrorPage and its only reference in ControlServlet::handle (since nothing exists in web.xml files)
Same for
<<[tempName:'error.jsp', newName:'error.jsp', location:"webapp/${webappName}/error"],>>
in build.gradle.
Do I miss anything?
Thanks
Jacques
Le 16/07/2020 à 11:55, Nicolas Malin a écrit :
> Thanks Jacques,
>
> You finished the work to remove the jsp error :)
>
> Nicolas
>
> On 15/07/2020 21:09, Jacques Le Roux wrote:
>> Le 05/07/2020 à 16:50, Jacques Le Roux a écrit :
>>> Hi,
>>>
>>> While working on OFBIZ-11840 I thought about the solution I used for
>>> "[CVE-2020-1943] Apache OFBiz XSS Vulnerability"
>>>
>>> So I tried that:
>>>
>>> diff --git framework/common/webcommon/WEB-INF/common-controller.xml
>>> framework/common/webcommon/WEB-INF/common-controller.xml
>>> index e6f9394cd4..9291cdbece 100644
>>> --- framework/common/webcommon/WEB-INF/common-controller.xml
>>> +++ framework/common/webcommon/WEB-INF/common-controller.xml
>>> @@ -338,7 +338,7 @@ under the License.
>>> <!--========================== AJAX events =====================-->
>>>
>>> <!-- View Mappings -->
>>> - <view-map name="error" page="/error/error.jsp"/>
>>> + <view-map name="error" type="ftl"
>>> page="component://common/webcommon/error/Error.ftl"/>
>>> <view-map name="main" type="none"/>
>>> <view-map name="login" type="screen"
>>> page="component://common/widget/CommonScreens.xml#login"/>
>>> <view-map name="impersonated" type="screen"
>>> page="component://common/widget/CommonScreens.xml#impersonated"/>
>>> diff --git framework/common/webcommon/WEB-INF/handlers-controller.xml
>>> framework/common/webcommon/WEB-INF/handlers-controller.xml
>>> index be21b19fd9..1622d10ead 100644
>>> --- framework/common/webcommon/WEB-INF/handlers-controller.xml
>>> +++ framework/common/webcommon/WEB-INF/handlers-controller.xml
>>> @@ -42,4 +42,5 @@ under the License.
>>> <handler name="screenfop" type="view"
>>> class="org.apache.ofbiz.widget.renderer.fo.ScreenFopViewHandler"/>
>>> <handler name="jsp" type="view"
>>> class="org.apache.ofbiz.webapp.view.JspViewHandler"/>
>>> <handler name="http" type="view"
>>> class="org.apache.ofbiz.webapp.view.HttpViewHandler"/>
>>> + <handler name="ftl" type="view"
>>> class="org.apache.ofbiz.webapp.ftl.FreeMarkerViewHandler"/>
>>> </site-conf>
>>>
>>> It does not fix the OFBIZ-11840 issue but it works. I mean it
>>> correctly replaces error.jsp by error.ftl.
>>>
>>> Few questions:
>>>
>>> 1. Why having the ftl handlers only in webtools controller? BTW it
>>> makes the XSD documentation awkward because it speaks about the ftl
>>> handlers being
>>> in handlers-controller.xml
>>> 2. Why not using error.ftl in common-controller.xml instead of
>>> error.jsp?
>>> 3. Same question for plugins.
>>>
>>> I believe we could change all that and definitely get rid of
>>> error.jsp (error.ftl is already in all supported releases branches)
>>>
>>> What do you think?
>>>
>>> Jacques
>>>
>> Done with OFBIZ-11890
>>
>> Jacques
>>
Re: Error.ftl everywhere
Posted by Nicolas Malin <ni...@nereide.fr>.
Thanks Jacques,
You finished the work to remove the jsp error :)
Nicolas
On 15/07/2020 21:09, Jacques Le Roux wrote:
>
> Le 05/07/2020 à 16:50, Jacques Le Roux a écrit :
>> Hi,
>>
>> While working on OFBIZ-11840 I thought about the solution I used for
>> "[CVE-2020-1943] Apache OFBiz XSS Vulnerability"
>>
>> So I tried that:
>>
>> diff --git framework/common/webcommon/WEB-INF/common-controller.xml
>> framework/common/webcommon/WEB-INF/common-controller.xml
>> index e6f9394cd4..9291cdbece 100644
>> --- framework/common/webcommon/WEB-INF/common-controller.xml
>> +++ framework/common/webcommon/WEB-INF/common-controller.xml
>> @@ -338,7 +338,7 @@ under the License.
>> <!--========================== AJAX events =====================-->
>>
>> <!-- View Mappings -->
>> - <view-map name="error" page="/error/error.jsp"/>
>> + <view-map name="error" type="ftl"
>> page="component://common/webcommon/error/Error.ftl"/>
>> <view-map name="main" type="none"/>
>> <view-map name="login" type="screen"
>> page="component://common/widget/CommonScreens.xml#login"/>
>> <view-map name="impersonated" type="screen"
>> page="component://common/widget/CommonScreens.xml#impersonated"/>
>> diff --git framework/common/webcommon/WEB-INF/handlers-controller.xml
>> framework/common/webcommon/WEB-INF/handlers-controller.xml
>> index be21b19fd9..1622d10ead 100644
>> --- framework/common/webcommon/WEB-INF/handlers-controller.xml
>> +++ framework/common/webcommon/WEB-INF/handlers-controller.xml
>> @@ -42,4 +42,5 @@ under the License.
>> <handler name="screenfop" type="view"
>> class="org.apache.ofbiz.widget.renderer.fo.ScreenFopViewHandler"/>
>> <handler name="jsp" type="view"
>> class="org.apache.ofbiz.webapp.view.JspViewHandler"/>
>> <handler name="http" type="view"
>> class="org.apache.ofbiz.webapp.view.HttpViewHandler"/>
>> + <handler name="ftl" type="view"
>> class="org.apache.ofbiz.webapp.ftl.FreeMarkerViewHandler"/>
>> </site-conf>
>>
>> It does not fix the OFBIZ-11840 issue but it works. I mean it
>> correctly replaces error.jsp by error.ftl.
>>
>> Few questions:
>>
>> 1. Why having the ftl handlers only in webtools controller? BTW it
>> makes the XSD documentation awkward because it speaks about the ftl
>> handlers being
>> in handlers-controller.xml
>> 2. Why not using error.ftl in common-controller.xml instead of
>> error.jsp?
>> 3. Same question for plugins.
>>
>> I believe we could change all that and definitely get rid of
>> error.jsp (error.ftl is already in all supported releases branches)
>>
>> What do you think?
>>
>> Jacques
>>
> Done with OFBIZ-11890
>
> Jacques
>
Re: Error.ftl everywhere
Posted by Jacques Le Roux <ja...@les7arts.com>.
Le 05/07/2020 à 16:50, Jacques Le Roux a écrit :
> Hi,
>
> While working on OFBIZ-11840 I thought about the solution I used for "[CVE-2020-1943] Apache OFBiz XSS Vulnerability"
>
> So I tried that:
>
> diff --git framework/common/webcommon/WEB-INF/common-controller.xml framework/common/webcommon/WEB-INF/common-controller.xml
> index e6f9394cd4..9291cdbece 100644
> --- framework/common/webcommon/WEB-INF/common-controller.xml
> +++ framework/common/webcommon/WEB-INF/common-controller.xml
> @@ -338,7 +338,7 @@ under the License.
> <!--========================== AJAX events =====================-->
>
> <!-- View Mappings -->
> - <view-map name="error" page="/error/error.jsp"/>
> + <view-map name="error" type="ftl" page="component://common/webcommon/error/Error.ftl"/>
> <view-map name="main" type="none"/>
> <view-map name="login" type="screen" page="component://common/widget/CommonScreens.xml#login"/>
> <view-map name="impersonated" type="screen" page="component://common/widget/CommonScreens.xml#impersonated"/>
> diff --git framework/common/webcommon/WEB-INF/handlers-controller.xml framework/common/webcommon/WEB-INF/handlers-controller.xml
> index be21b19fd9..1622d10ead 100644
> --- framework/common/webcommon/WEB-INF/handlers-controller.xml
> +++ framework/common/webcommon/WEB-INF/handlers-controller.xml
> @@ -42,4 +42,5 @@ under the License.
> <handler name="screenfop" type="view" class="org.apache.ofbiz.widget.renderer.fo.ScreenFopViewHandler"/>
> <handler name="jsp" type="view" class="org.apache.ofbiz.webapp.view.JspViewHandler"/>
> <handler name="http" type="view" class="org.apache.ofbiz.webapp.view.HttpViewHandler"/>
> + <handler name="ftl" type="view" class="org.apache.ofbiz.webapp.ftl.FreeMarkerViewHandler"/>
> </site-conf>
>
> It does not fix the OFBIZ-11840 issue but it works. I mean it correctly replaces error.jsp by error.ftl.
>
> Few questions:
>
> 1. Why having the ftl handlers only in webtools controller? BTW it makes the XSD documentation awkward because it speaks about the ftl handlers being
> in handlers-controller.xml
> 2. Why not using error.ftl in common-controller.xml instead of error.jsp?
> 3. Same question for plugins.
>
> I believe we could change all that and definitely get rid of error.jsp (error.ftl is already in all supported releases branches)
>
> What do you think?
>
> Jacques
>
Done with OFBIZ-11890
Jacques