You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2014/01/11 21:36:40 UTC
svn commit: r1557465 - in /ofbiz/branches/release11.04: ./
framework/common/src/org/ofbiz/common/ framework/common/webcommon/WEB-INF/
framework/common/widget/ framework/images/webapp/images/
specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/ specialpur...
Author: jleroux
Date: Sat Jan 11 20:36:39 2014
New Revision: 1557465
URL: http://svn.apache.org/r1557465
Log:
"Applied fix from trunk for revision: 1557462 " (2 conflicts handled by hand)
------------------------------------------------------------------------
r1557462 | jleroux | 2014-01-11 21:26:30 +0100 (sam. 11 janv. 2014) | 4 lignes
A modified patch from Gareth Carter for "JSON Response does not set http status on error" https://issues.apache.org/jira/browse/OFBIZ-5409
This is rather a defensive patch which secure json response on services calls.
It might need some changes in custom code if (not recommended) an Ajax GET response is used... The util.js scrpt is introduced for that, though normally should not be needed...
------------------------------------------------------------------------
Added:
ofbiz/branches/release11.04/framework/images/webapp/images/util.js (with props)
Modified:
ofbiz/branches/release11.04/ (props changed)
ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java
ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml
ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml
ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml
Propchange: ofbiz/branches/release11.04/
------------------------------------------------------------------------------
Merged /ofbiz/trunk:r1557462
Modified: ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java?rev=1557465&r1=1557464&r2=1557465&view=diff
==============================================================================
--- ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java (original)
+++ ofbiz/branches/release11.04/framework/common/src/org/ofbiz/common/CommonEvents.java Sat Jan 11 20:36:39 2014
@@ -68,7 +68,21 @@ public class CommonEvents {
public static final String module = CommonEvents.class.getName();
- public static UtilCache<String, Map<String, String>> appletSessions = UtilCache.createUtilCache("AppletSessions", 0, 600000, true);
+ static final String[] ignoreAttrs = new String[] { // Removed for security reason; _ERROR_MESSAGE_ is kept
+ "javax.servlet.request.key_size",
+ "_CONTEXT_ROOT_",
+ "_FORWARDED_FROM_SERVLET_",
+ "javax.servlet.request.ssl_session",
+ "javax.servlet.request.ssl_session_id",
+ "multiPartMap",
+ "javax.servlet.request.cipher_suite",
+ "targetRequestUri",
+ "_SERVER_ROOT_URL_",
+ "_CONTROL_PATH_",
+ "thisRequestUri"
+ };
+
+ private static final UtilCache<String, Map<String, String>> appletSessions = UtilCache.createUtilCache("AppletSessions", 0, 600000, true);
public static String checkAppletRequest(HttpServletRequest request, HttpServletResponse response) {
Delegator delegator = (Delegator) request.getAttribute("delegator");
@@ -266,22 +280,39 @@ public class CommonEvents {
public static String jsonResponseFromRequestAttributes(HttpServletRequest request, HttpServletResponse response) {
// pull out the service response from the request attribute
+
Map<String, Object> attrMap = UtilHttp.getJSONAttributeMap(request);
+ for (String ignoreAttr : ignoreAttrs) {
+ if (attrMap.containsKey(ignoreAttr)) {
+ attrMap.remove(ignoreAttr);
+ }
+ }
+
// create a JSON Object for return
JSONObject json = JSONObject.fromObject(attrMap);
- writeJSONtoResponse(json, response);
+ writeJSONtoResponse(json, request.getMethod(), response);
return "success";
}
- private static void writeJSONtoResponse(JSON json, HttpServletResponse response) {
+ private static void writeJSONtoResponse(JSON json, String httpMethod, HttpServletResponse response) {
String jsonStr = json.toString();
if (jsonStr == null) {
Debug.logError("JSON Object was empty; fatal error!", module);
return;
}
+ // This was added for security reason (OFBIZ-5409), you might need to remove the "//" prefix when handling the JSON response
+ // Though normally you simply have to access the data you want, so should not be annoyed by the "//" prefix
+ if ("GET".equalsIgnoreCase(httpMethod)) {
+ Debug.logWarning("for security reason (OFBIZ-5409) the the '//' prefix was added handling the JSON response. " +
+ "Normally you simply have to access the data you want, so should not be annoyed by the '//' prefix." +
+ "You might need to remove it if you use Ajax GET responses (not recommended)." +
+ "In case, the util.js scrpt is there to help you", module);
+ jsonStr = "//" + jsonStr;
+ }
+
// set the X-JSON content type
response.setContentType("application/x-json");
// jsonStr.length is not reliable for unicode characters
@@ -338,7 +369,7 @@ public class CommonEvents {
}
}
- writeJSONtoResponse(jsonUiLabel, response);
+ writeJSONtoResponse(jsonUiLabel, request.getMethod(), response);
return "success";
}
@@ -378,7 +409,7 @@ public class CommonEvents {
}
}
- writeJSONtoResponse(jsonUiLabel, response);
+ writeJSONtoResponse(jsonUiLabel, request.getMethod(), response);
return "success";
}
@@ -439,8 +470,7 @@ public class CommonEvents {
int charDim = Math.max(maxAdvance, fontHeight);
int halfCharDim = (charDim / 2);
- BufferedImage charImage =
- new BufferedImage(charDim, charDim, BufferedImage.TYPE_INT_ARGB);
+ BufferedImage charImage = new BufferedImage(charDim, charDim, BufferedImage.TYPE_INT_ARGB);
Graphics2D charGraphics = charImage.createGraphics();
charGraphics.translate(halfCharDim, halfCharDim);
double angle = (Math.random() - 0.5) * rotationRange;
Modified: ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml?rev=1557465&r1=1557464&r2=1557465&view=diff
==============================================================================
--- ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml (original)
+++ ofbiz/branches/release11.04/framework/common/webcommon/WEB-INF/common-controller.xml Sat Jan 11 20:36:39 2014
@@ -185,7 +185,7 @@ under the License.
</request-map>
<!-- Common json reponse events, chain these after events to send json reponses -->
- <!-- Standard json response, uses all compatible request attributes -->
+ <!-- Standard json response, For security reason (OFBIZ-5409) tries to keep only the initially called service attributes -->
<request-map uri="json">
<security direct-request="false"/>
<event type="java" path="org.ofbiz.common.CommonEvents" invoke="jsonResponseFromRequestAttributes"/>
Modified: ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml?rev=1557465&r1=1557464&r2=1557465&view=diff
==============================================================================
--- ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml (original)
+++ ofbiz/branches/release11.04/framework/common/widget/CommonScreens.xml Sat Jan 11 20:36:39 2014
@@ -165,7 +165,8 @@ under the License.
<set field="layoutSettings.javaScripts[]" value="/images/GooglemapMarkers.js" global="true"/>
<set field="layoutSettings.javaScripts[]" value="/images/getDependentDropdownValues.js" global="true"/>
<set field="layoutSettings.javaScripts[]" value="/images/selectMultipleRelatedValues.js" global="true"/>
-
+ <set field="layoutSettings.javaScripts[]" value="/images/util.js" global="true" />
+
<set field="layoutSettings.commonHeaderImageLinkUrl" from-field="layoutSettings.commonHeaderImageLinkUrl" default-value="main" global="true"/>
<set field="visualThemeId" from-field="userPreferences.VISUAL_THEME" global="true"/>
<service service-name="getVisualThemeResources">
Added: ofbiz/branches/release11.04/framework/images/webapp/images/util.js
URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/framework/images/webapp/images/util.js?rev=1557465&view=auto
==============================================================================
--- ofbiz/branches/release11.04/framework/images/webapp/images/util.js (added)
+++ ofbiz/branches/release11.04/framework/images/webapp/images/util.js Sat Jan 11 20:36:39 2014
@@ -0,0 +1,21 @@
+jQuery.ajaxSetup({
+ dataFilter: function(data, type) {
+ var prefixes = ['//', 'while(true);', 'for(;;);'],
+ i,
+ l,
+ pos;
+
+ if (type != 'json' && type != 'jsonp') {
+ return data;
+ }
+
+ for (i = 0, l = prefixes.length; i < l; i++) {
+ pos = data.indexOf(prefixes[i]);
+ if (pos === 0) {
+ return data.substring(prefixes[i].length);
+ }
+ }
+
+ return data;
+ }
+});
Propchange: ofbiz/branches/release11.04/framework/images/webapp/images/util.js
------------------------------------------------------------------------------
svn:eol-style = native
Propchange: ofbiz/branches/release11.04/framework/images/webapp/images/util.js
------------------------------------------------------------------------------
svn:keywords = Date Rev Author URL Id
Propchange: ofbiz/branches/release11.04/framework/images/webapp/images/util.js
------------------------------------------------------------------------------
svn:mime-type = text/plain
Modified: ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml?rev=1557465&r1=1557464&r2=1557465&view=diff
==============================================================================
--- ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml (original)
+++ ofbiz/branches/release11.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml Sat Jan 11 20:36:39 2014
@@ -162,7 +162,7 @@ under the License.
</request-map>
<!-- Common json reponse events, chain these after events to send json reponses -->
- <!-- Standard json response, uses all compatible request attributes -->
+ <!-- Standard json response, For security reason (OFBIZ-5409) tries to keep only the initially called service attributes -->
<request-map uri="json">
<security direct-request="false"/>
<event type="java" path="org.ofbiz.common.CommonEvents" invoke="jsonResponseFromRequestAttributes"/>
Modified: ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml?rev=1557465&r1=1557464&r2=1557465&view=diff
==============================================================================
--- ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml (original)
+++ ofbiz/branches/release11.04/specialpurpose/webpos/webapp/webpos/WEB-INF/controller.xml Sat Jan 11 20:36:39 2014
@@ -96,7 +96,7 @@
<!-- End of Security Mappings -->
<!-- Common json reponse events, chain these after events to send json reponses -->
- <!-- Standard json response, uses all compatible request attributes -->
+ <!-- Standard json response, For security reason (OFBIZ-5409) tries to keep only the initially called service attributes -->
<request-map uri="json">
<security direct-request="false"/>
<event type="java" path="org.ofbiz.common.CommonEvents" invoke="jsonResponseFromRequestAttributes"/>