You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2022/02/04 11:31:51 UTC
[ofbiz-framework] 02/02: Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
commit 4ab4b15ade3fb544de25d259123c0ec2c5ce9df7
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Fri Feb 4 12:28:47 2022 +0100
Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938 (OFBIZ-12558)
Despite OFBIZ-11407, the 2 values secretRequired and especially
allowedRequestAttributesPattern are commented out because of OFBIZ-12558
The Tomcat default values will be used as recommended by
https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and
https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
Thanks: Lion Tree for report
Conflicts handled by hand in framework/catalina/ofbiz-component.xml
---
framework/catalina/ofbiz-component.xml | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/framework/catalina/ofbiz-component.xml b/framework/catalina/ofbiz-component.xml
index 176a36e..c30f231 100644
--- a/framework/catalina/ofbiz-component.xml
+++ b/framework/catalina/ofbiz-component.xml
@@ -74,9 +74,17 @@ under the License.
<property name="secure" value="false"/>
<property name="URIEncoding" value="UTF-8"/>
<property name="xpoweredBy" value="false"/>
- <property name="secretRequired" value="false"/>
- <property name="allowedRequestAttributesPattern" value=".*"/>
<!-- AJP/13 connector attributes -->
+ <!-- Despite OFBIZ-11407, the 2 values below are commented out because of OFBIZ-12558
+ The Tomcat default values will be used as recommended by
+ https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
+ This is in relation with
+ https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
+ and
+ https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
+ -->
+ <!-- <property name="secretRequired" value="false"/>
+ <property name="allowedRequestAttributesPattern" value=".*"/> -->
<!-- commented out because the values match the Tomcat defaults:
<property name="tomcatAuthentication" value="true"/>
<property name="allowTrace" value="false"/>