You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by le...@apache.org on 2009/10/17 10:53:01 UTC
svn commit: r826201 -
/ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
Author: lektran
Date: Sat Oct 17 08:53:01 2009
New Revision: 826201
URL: http://svn.apache.org/viewvc?rev=826201&view=rev
Log:
Merged from trunk r826196
Fix security issue reported by Alexandre Mazari - OFBIZ-2747
Request parameters were being made available to surveys which in turn were sending them straight back to the browser creating an XSS vulnerability.
This isn't a true fix because I've simply disabled the functionality but at least the security hole is plugged.
Modified:
ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
Modified: ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java?rev=826201&r1=826200&r2=826201&view=diff
==============================================================================
--- ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java (original)
+++ ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java Sat Oct 17 08:53:01 2009
@@ -101,10 +101,13 @@
* @param passThru
*/
public void setPassThru(Map passThru) {
+ /* Creates an XSS vulnerability, by passing incoming parameters straight back out to the browser
+ * commented until someone decides either cleanse the parameters or find an alternative solution
if (passThru != null) {
this.passThru = FastMap.newInstance();
this.passThru.putAll(passThru);
}
+ */
}
/**