Author: lektran
Date: Thu Dec 10 00:53:47 2009
New Revision: 889040
URL: http://svn.apache.org/viewvc?rev=889040&view=rev
Log:
Reverted previous temporary security fix for request parameters being directly
inserted into survey forms and changed all SurveyWrapper instances using this
method to instead store the parameter map in the session temporarily.
Modified:
ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml
ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
Modified:
ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
---
ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
(original)
+++
ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
Thu Dec 10 00:53:47 2009
@@ -101,13 +101,10 @@
* @param passThru
*/
public void setPassThru(Map passThru) {
- /* Creates an XSS vulnerability, by passing incoming parameters
straight back out to the browser
- * commented until someone decides either cleanse the parameters or
find an alternative solution
if (passThru != null) {
this.passThru = FastMap.newInstance();
this.passThru.putAll(passThru);
}
- */
}
/**
Modified:
ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
(original)
+++
ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
Thu Dec 10 00:53:47 2009
@@ -464,7 +464,8 @@
if (surveyResponseId != null) {
surveyResponses = UtilMisc.toList(surveyResponseId);
} else {
- Map surveyContext = UtilHttp.getParameterMap(request);
+ String origParamMapId =
UtilHttp.stashParameterMap(request);
+ Map<String, Object> surveyContext = UtilMisc.<String,
Object>toMap("_ORIG_PARAM_MAP_ID_", origParamMapId);
GenericValue userLogin = cart.getUserLogin();
String partyId = null;
if (userLogin != null) {
Modified:
ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
(original)
+++
ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
Thu Dec 10 00:53:47 2009
@@ -150,7 +150,8 @@
productSurvey = ProductStoreWorker.getProductSurveys(delegator,
productStoreId, productId, "CART_ADD");
if (productSurvey) {
survey = EntityUtil.getFirst(productSurvey);
- surveyContext = UtilHttp.getParameterMap(request);
+ origParamMapId = UtilHttp.stashParameterMap(request);
+ surveyContext = ["_ORIG_PARAM_MAP_ID_" : origParamMapId];
surveyPartyId = userLogin?.partyId;
wrapper = new ProductStoreSurveyWrapper(survey, surveyPartyId,
surveyContext);
context.surveyWrapper = wrapper;
Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml
(original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml Thu
Dec 10 00:53:47 2009
@@ -428,7 +428,7 @@
</request-map>
<request-map uri="additemsurvey">
<security https="true" auth="true"/>
- <event type="service" invoke="createSurveyResponse"/>
+ <event type="java" invoke="createSurveyResponseAndRestoreParameters"
path="org.ofbiz.content.survey.SurveyEvents"/>
<response name="success" type="request" value="additem"/>
<response name="error" type="request" value="orderentry"/>
</request-map>
@@ -528,7 +528,7 @@
</request-map>
<request-map uri="addGiftCertificateSurvey">
<security https="true" auth="false"/>
- <event type="service" invoke="createSurveyResponse"/>
+ <event type="java" invoke="createSurveyResponseAndRestoreParameters"
path="org.ofbiz.content.survey.SurveyEvents"/>
<response name="success" type="request" value="additem"/>
<response name="error" type="view" value="AddGiftCertificate"/>
</request-map>
Modified:
ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
---
ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
(original)
+++
ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
Thu Dec 10 00:53:47 2009
@@ -421,9 +421,9 @@
return returnShippingMethods;
}
- public static ProductStoreSurveyWrapper
getRandomSurveyWrapper(ServletRequest request, String groupName) {
+ public static ProductStoreSurveyWrapper
getRandomSurveyWrapper(HttpServletRequest request, String groupName) {
GenericValue productStore = getProductStore(request);
- HttpSession session = ((HttpServletRequest)request).getSession();
+ HttpSession session = request.getSession();
if (productStore == null) {
return null;
}
@@ -434,7 +434,8 @@
}
String partyId = userLogin != null ? userLogin.getString("partyId") :
null;
- Map<String, Object> passThruFields =
UtilHttp.getParameterMap(((HttpServletRequest)request));
+ String origParamMapId = UtilHttp.stashParameterMap(request);
+ Map<String, Object> passThruFields = UtilMisc.<String,
Object>toMap("_ORIG_PARAM_MAP_ID_", origParamMapId);
return getRandomSurveyWrapper(productStore.getDelegator(),
productStore.getString("productStoreId"), groupName, partyId, passThruFields);
}
Modified:
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
---
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
(original)
+++
ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
Thu Dec 10 00:53:47 2009
@@ -247,7 +247,7 @@
<request-map uri="additemsurvey">
<security https="false" auth="false"/>
- <event type="service" invoke="createSurveyResponse"/>
+ <event type="java" invoke="createSurveyResponseAndRestoreParameters"
path="org.ofbiz.content.survey.SurveyEvents"/>
<response name="success" type="request" value="additem"/>
<response name="error" type="view" value="main"/>
</request-map>
@@ -1245,13 +1245,13 @@
</request-map>
<request-map uri="profilesurvey">
<security https="true" auth="true"/>
- <event type="service" invoke="createSurveyResponse"/>
+ <event type="java" invoke="createSurveyResponseAndRestoreParameters"
path="org.ofbiz.content.survey.SurveyEvents"/>
<response name="success" type="view" value="profilesurvey"/>
<response name="error" type="view" value="profilesurvey"/>
</request-map>
<request-map uri="minipoll">
<security https="false" auth="false"/>
- <event type="service" invoke="createSurveyResponse"/>
+ <event type="java" invoke="createSurveyResponseAndRestoreParameters"
path="org.ofbiz.content.survey.SurveyEvents"/>
<response name="success" type="view" value="main"/>
<response name="error" type="view" value="main"/>
</request-map>
