You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2021/03/29 11:25:23 UTC
[ofbiz-plugins] branch release17.12 updated: Improved: Comment out
the SOAP and HTTP engines (OFBIZ-12212)
This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release17.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release17.12 by this push:
new 32a310c Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
32a310c is described below
commit 32a310ca143717efc9f6d1167450b3e5a508ee14
Author: Jacques Le Roux <ja...@les7arts.com>
AuthorDate: Mon Mar 29 13:13:55 2021 +0200
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.
Here is the email content:
After the recent fix for the CVE-2021-26295[1] we discussed with the security
team about the opportunity need to comment out the SOAP and HTTP engines
like we did in the past for RMI[2], this obviously for security reason.
[1] OFBIZ-12167 "Adds a blacklist (to be
renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
[2] OFBIZ-6942 "Comment out RMI related
code because of the Java deserialization issue [CVE-2016-2170] "
I just put a small comment in webtools and scrumm controllers, it should be
enough.
The tests pass
Conflicts handled by hand
scrum/servicedef/services.xml
---
ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 4 ++--
scrum/servicedef/services.xml | 12 ++++++------
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 4d8c94b..6e72dc8 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -25,7 +25,7 @@ under the License.
<handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
<handler name="groovy" type="request" class="org.apache.ofbiz.webapp.event.GroovyEventHandler"/>
- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/>
+ <!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
<handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
<handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
<handler name="simple" type="request" class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/>
@@ -134,7 +134,7 @@ under the License.
<request-map uri="setSessionLocale">
<security https="false" auth="false"/>
<event type="java" path="org.apache.ofbiz.common.CommonEvents" invoke="setSessionLocale"/>
- <response name="success" type="request-redirect" value="fromSetSessionLocale"/>
+ <response name="success" type="request-redirect" value="fromSetSessionLocale"/>
<response name="error" type="view" value="main"/>
</request-map>
diff --git a/scrum/servicedef/services.xml b/scrum/servicedef/services.xml
index 315f358..375f251 100644
--- a/scrum/servicedef/services.xml
+++ b/scrum/servicedef/services.xml
@@ -221,14 +221,14 @@ under the License.
<service name="checkSprintStatus" engine="simple" auth="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="checkSprintStatus">
</service>
- <service name="checkScrumPlanHour" engine="simple" auth="true"
+ <service name="checkScrumPlanHour" engine="simple" auth="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="checkScrumPlanHour">
<attribute name="workEffortId" type="String" mode="IN" optional="true"/>
<attribute name="custRequestId" type="String" mode="IN" optional="true"/>
<attribute name="planHours" type="Double" mode="IN" optional="true"/>
<attribute name="allow" type="Boolean" mode="OUT" optional="false"/>
</service>
- <service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
+ <service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="reOrderProductBacklogItemSequenceNumber">
<attribute name="productId" type="String" mode="IN" optional="false"/>
</service>
@@ -250,11 +250,11 @@ under the License.
<description>Updates the Timesheet status back to in process to be able to correct errors</description>
<auto-attributes include="pk" mode="IN" optional="false"/>
</service>
-
- <service name="updateScrumRevision" engine="soap" export="true"
+ <!-- The service below has been commented out for security reason, see OFBIZ-12212 -->
+ <!-- <service name="updateScrumRevision" engine="soap" export="true"
location="http://www.example.com/webtools/control/SOAPService" invoke="updateScrumRevisionChange">
<implements service="updateScrumRevisionChange"/>
- </service>
+ </service> -->
<service name="updateScrumRevisionChange" engine="simple" export="true" validate="false" require-new-transaction="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="updateScrumRevisionChange">
<description>Update Scrum Revision Change</description>
@@ -287,7 +287,7 @@ under the License.
<service name="linkToProduct" engine="java" auth="true"
location="org.apache.ofbiz.scrum.ScrumServices" invoke="linkToProduct">
- <description>check when a comunication event is created if the subject contains the PD# string, if so
+ <description>check when a comunication event is created if the subject contains the PD# string, if so
try to find the customer request and link it to the communication event..
</description>
<attribute name="communicationEventId" type="String" mode="IN" optional="false"/>