You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/04 11:31:51 UTC

[ofbiz-framework] 02/02: Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git

commit 4ab4b15ade3fb544de25d259123c0ec2c5ce9df7
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 4 12:28:47 2022 +0100

    Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
    
    Despite OFBIZ-11407, the 2 values secretRequired and especially
    allowedRequestAttributesPattern are commented out because of OFBIZ-12558
    
    The Tomcat default values will be used as recommended by
    https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
    This is in relation with
    https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
    and
    https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
    
    Thanks: Lion Tree for report
    
    Conflicts handled by hand in framework/catalina/ofbiz-component.xml
---
 framework/catalina/ofbiz-component.xml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index 176a36e..c30f231 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -74,9 +74,17 @@ under the License.
             <property name="secure" value="false"/>
             <property name="URIEncoding" value="UTF-8"/>
             <property name="xpoweredBy" value="false"/>
-            <property name="secretRequired" value="false"/>
-            <property name="allowedRequestAttributesPattern" value=".*"/> 
             <!-- AJP/13 connector attributes -->
+            <!-- Despite OFBIZ-11407, the 2 values below are commented out because of OFBIZ-12558
+                 The Tomcat default values will be used as recommended by 
+                 https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
+                 This is in relation with 
+                 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
+                 and
+                 https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors 
+            -->
+            <!-- <property name="secretRequired" value="false"/>
+            <property name="allowedRequestAttributesPattern" value=".*"/> -->
             <!-- commented out because the values match the Tomcat defaults:
             <property name="tomcatAuthentication" value="true"/>
             <property name="allowTrace" value="false"/>