1. 14 Oct, 2021 1 commit
  2. 12 Oct, 2021 1 commit
  3. 11 Oct, 2021 1 commit
    • Jacques Le Roux's avatar
      Improved: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) · 3cb4e791
      Jacques Le Roux authored
      Prevents an useless inevitable warning by commenting out
      RequestWrapper::getParameterNames and with it all the unused methods in
      RequestWrapper class
      Also better comments CacheFilter::doFilter by giving its real and only goal:
      <<to prevent a post-auth security issue described in OFBIZ-12332>>
  4. 10 Oct, 2021 5 commits
  5. 09 Oct, 2021 1 commit
  6. 08 Oct, 2021 1 commit
    • Jacques Le Roux's avatar
      Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) · 9c169891
      Jacques Le Roux authored
      As reported by Jie Zhu:
      <<The latest version of the OFBiz framework (17.12.08) is affected by an
      XMLRPC Remote Code Execution Vulnerability.
      This vulnerability is caused by incomplete patch repair of cve-2020-9496.>>
      Actually this is not an OFBiz bug (so not related to CVE-2020-9496)
      but an old XMLRPC bug (Archiva was(/is?)) also affected:
      Unfortunately XMLRPC is no longer maintained, so it's OFBiz responsibility to
      fix this bug.
      As the code that secures serialisation in OFBiz is not reached by this bug, the
      solution is to secure it at the ContextFilter class level (ie before it reaches
      secured serialisation in OFBiz source).
      Thanks: Jie Zhu for report and help.
  7. 02 Oct, 2021 1 commit
    • Jacques Le Roux's avatar
      Fixed: Edit record in product promotion, "Promotion Last Modified Date" is... · 38c67d3d
      Jacques Le Roux authored
      Fixed: Edit record in product promotion, "Promotion Last Modified Date" is invalid, but don't notice to user (OFBIZ-12046)
      As Lalit reported it's not really a bug. But an annoying service transformation
      of updateProductPromo to entity-auto (I checked using R15.12). Note that
      createProductPromo is not affected
      I'm not sure other update services using entity-auto are not affected
      Thanks: Do Nhu Vy for report, Lalit Dashora  for initial analysis
  8. 30 Sep, 2021 4 commits
  9. 29 Sep, 2021 1 commit
    • Nicolas Malin's avatar
      Improved: Improve velocity of PartyHelper.getPartyName() with the cache · 2d14be3c
      Nicolas Malin authored
      The class PartyHelper is massively used to resolve the name of a party without know is type.
           <field name="organizationPartyId" title="${uiLabelMap.ProductOrganization}">
               <display description="${groovy: org.apache.ofbiz.party.party.PartyHelper.getPartyName(delegator, organizationPartyId, true);} [${organizationPartyId}]"/>
      A party name have few change over time, or the PartyHelper.getPartyName function call the database at each call.
      On huge screen, we distinctly clearly the database latency.
      So for a cold data, no reason to didn't use the cache.
  10. 28 Sep, 2021 3 commits
    • holivier's avatar
      Fixed: online help links don't get where they should (OFBIZ-12328) · 874e2dd0
      holivier authored
      Correction for content and accounting AR & AP
    • Nicolas Malin's avatar
      Fixed: ShoppingCart object does not recognize two products with different... · b9c8938b
      Nicolas Malin authored
      Fixed: ShoppingCart object does not recognize two products with different configurations (OFBIZ-12303)
      By adding two equal products with different configurations in eCommerce cart it results in qty aggregation instead of adding 2 separate cart lines.
      When we added a new configuration in cart, we analyze all configuration options already present to know if this configuration case is alredy load and merge the quantity added.
      Thanks: Alexander Tzvetanov for raise this issue
    • Nicolas Malin's avatar
      Fixed: CategoryTree.groovy · 4ffbd8a2
      Nicolas Malin authored
      No functional change, review the code to down less it :
       * Use groovy syntax
       * Use DSL when is not use as it should
       * Add missing variable type, for most ide analyser potential
  11. 27 Sep, 2021 4 commits
  12. 25 Sep, 2021 1 commit
  13. 23 Sep, 2021 2 commits
  14. 21 Sep, 2021 1 commit
  15. 20 Sep, 2021 1 commit
  16. 19 Sep, 2021 1 commit
  17. 17 Sep, 2021 6 commits
    • Jacques Le Roux's avatar
      Fixed: Groovy Program sandbox bypass (OFBIZ-12305) · 6a7f3cd8
      Jacques Le Roux authored
      This much increases the current security by creating SecuredUpload::isValidText
      and call it from ProgramExport.groovy
      This said I agree with thiscodecc that a better solution would be to use a
      Groovy sandbox, and not only in ProgramExport.groovy.
      I had a quick glance at a such solution. Unfortunately as Cédric Champeau reports
      at https://melix.github.io/blog/2015/03/sandboxing.html and unlike thiscodecc
      suggest there are no "mature solutions on the market".
      Nevertheless I'll have a deeper look at an OFBiz specific Groovy sandbox
      Somehow related: I'll also soon extract the list of words used in
      SecuredUpload::isValidText in a deniedWebShellWords property in security.properties
      Thanks: thiscodecc for report
    • Nicolas Malin's avatar
      Fixeded: Convert createInvoiceItemPayrol service from mini-lang to groovy DSL (OFBIZ-11503) · aa9caa1a
      Nicolas Malin authored
      Correct previous commit with remove empty file InvoiceEvents.xml, reoriented the function createInvoiceItemPayrol from InvoiceServices.groovy to new file InvoiceEvents.groovy
    • Nicolas Malin's avatar
      Improved: Convert createInvoiceItemPayrol service from mini-lang to groovy DSL (OFBIZ-11503) · 4112f1cb
      Nicolas Malin authored
      Thanks to Nitish Mishra for started this issue
    • Nicolas Malin's avatar
      Fixed: Remove unnecessary variable instanciation · 8548f3a8
      Nicolas Malin authored
      No Functional change
    • Nicolas Malin's avatar
      Fixed: Groovy DSL failed to use 'run service' from an event call (OFBIZ-12322) · 32cca8a8
      Nicolas Malin authored
      When you call a groovy script from an event controller, some information are present note on the same place on the binding context.
      Example if you call a groovy script as service you found the userLogin with parameters.userLogin or when you call it as event, the userLogin is on the binding context root.
      The problem appear with the DSL method 'run service' who search the missing value need by a service (userLogin, locale and timezone) on the map parameters on the binding context, so failed to populate correctly the information for an event.
      Call from event
          Map serviceResult = run service: 'createInvoice', with: [partyId: partyId, invoiceDate: nowTimestamp]
      Failed due to security issue : missing userLogin on the service context.
    • Jacques Le Roux's avatar
      Fixed: CVE-2021-37608 vulnerability bypass (OFBIZ-12307) · 71dbb3c8
      Jacques Le Roux authored
      Fixes a number of issues I spotted while working on OFBIZ-12305 in relation with
      The last change I made for OFBIZ-12305 was incomplete, the files could not be
      checked by SecuredUpload because they did not exist! This concerns
      ImageManagementServices, DataServices, FrameImage and ProductServices classes.
      I used Files::createTempFile to fix that.
      Also fixes a bug in SecuredUpload where I reversed the check on
      fileToCheck.length in Windows case. I also added a comment, Windows 10 now
      allows more length (need an OS parameter change though)
      Finally, creates public SecuredUpload::isValidText to be used in OFBIZ-12305
  18. 16 Sep, 2021 3 commits
  19. 15 Sep, 2021 2 commits