action...

lektran Wed, 09 Dec 2009 17:24:43 -0800

Author: lektran
Date: Thu Dec 10 01:24:14 2009
New Revision: 889050

URL: http://svn.apache.org/viewvc?rev=889050&view=rev
Log:
Merged from trunk r889040:
Reverted previous temporary security fix for request parameters being directly 
inserted into survey forms and changed all SurveyWrapper instances using this 
method to instead store the parameter map in the session temporarily.


Note: This is a partial merge as some affected request mappings from the trunk 
ordermgr controller do not exist in this release

Modified:
    
ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
    
ofbiz/branches/release09.04/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
    
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
    
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/controller.xml
    
ofbiz/branches/release09.04/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
    
ofbiz/branches/release09.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml

Modified: 
ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java?rev=889050&r1=889049&r2=889050&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
 (original)
+++ 
ofbiz/branches/release09.04/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
 Thu Dec 10 01:24:14 2009
@@ -101,13 +101,10 @@
      * @param passThru
      */
     public void setPassThru(Map passThru) {
-        /* Creates an XSS vulnerability, by passing incoming parameters 
straight back out to the browser
-         * commented until someone decides either cleanse the parameters or 
find an alternative solution
         if (passThru != null) {
             this.passThru = FastMap.newInstance();
             this.passThru.putAll(passThru);
         }
-        */
     }
 
     /**

Modified: 
ofbiz/branches/release09.04/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java?rev=889050&r1=889049&r2=889050&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
 (original)
+++ 
ofbiz/branches/release09.04/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
 Thu Dec 10 01:24:14 2009
@@ -463,7 +463,8 @@
                 if (surveyResponseId != null) {
                     surveyResponses = UtilMisc.toList(surveyResponseId);
                 } else {
-                    Map surveyContext = UtilHttp.getParameterMap(request);
+                    String origParamMapId = 
UtilHttp.stashParameterMap(request);
+                    Map<String, Object> surveyContext = UtilMisc.<String, 
Object>toMap("_ORIG_PARAM_MAP_ID_", origParamMapId);
                     GenericValue userLogin = cart.getUserLogin();
                     String partyId = null;
                     if (userLogin != null) {

Modified: 
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=889050&r1=889049&r2=889050&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
 (original)
+++ 
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
 Thu Dec 10 01:24:14 2009
@@ -146,7 +146,8 @@
     productSurvey = ProductStoreWorker.getProductSurveys(delegator, 
productStoreId, productId, "CART_ADD");
     if (productSurvey) {
         survey = EntityUtil.getFirst(productSurvey);
-        surveyContext = UtilHttp.getParameterMap(request);
+        origParamMapId = UtilHttp.stashParameterMap(request);
+        surveyContext = ["_ORIG_PARAM_MAP_ID_" : origParamMapId];
         surveyPartyId = userLogin?.partyId;
         wrapper = new ProductStoreSurveyWrapper(survey, surveyPartyId, 
surveyContext);
         context.surveyWrapper = wrapper;

Modified: 
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/controller.xml
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/controller.xml?rev=889050&r1=889049&r2=889050&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/controller.xml
 (original)
+++ 
ofbiz/branches/release09.04/applications/order/webapp/ordermgr/WEB-INF/controller.xml
 Thu Dec 10 01:24:14 2009
@@ -391,7 +391,7 @@
     </request-map>
     <request-map uri="additemsurvey">
         <security https="true" auth="true"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" 
path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="request" value="additem"/>
         <response name="error" type="request" value="orderentry"/>
     </request-map>

Modified: 
ofbiz/branches/release09.04/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java?rev=889050&r1=889049&r2=889050&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
 (original)
+++ 
ofbiz/branches/release09.04/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
 Thu Dec 10 01:24:14 2009
@@ -421,9 +421,9 @@
         return returnShippingMethods;
     }
 
-    public static ProductStoreSurveyWrapper 
getRandomSurveyWrapper(ServletRequest request, String groupName) {
+    public static ProductStoreSurveyWrapper 
getRandomSurveyWrapper(HttpServletRequest request, String groupName) {
         GenericValue productStore = getProductStore(request);
-        HttpSession session = ((HttpServletRequest)request).getSession();
+        HttpSession session = request.getSession();
         if (productStore == null) {
             return null;
         }
@@ -434,7 +434,8 @@
         }
 
         String partyId = userLogin != null ? userLogin.getString("partyId") : 
null;
-        Map<String, Object> passThruFields = 
UtilHttp.getParameterMap(((HttpServletRequest)request));
+        String origParamMapId = UtilHttp.stashParameterMap(request);
+        Map<String, Object> passThruFields = UtilMisc.<String, 
Object>toMap("_ORIG_PARAM_MAP_ID_", origParamMapId);
 
         return getRandomSurveyWrapper(productStore.getDelegator(), 
productStore.getString("productStoreId"), groupName, partyId, passThruFields);
     }

Modified: 
ofbiz/branches/release09.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
URL: 
http://svn.apache.org/viewvc/ofbiz/branches/release09.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml?rev=889050&r1=889049&r2=889050&view=diff
==============================================================================
--- 
ofbiz/branches/release09.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
 (original)
+++ 
ofbiz/branches/release09.04/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
 Thu Dec 10 01:24:14 2009
@@ -247,7 +247,7 @@
 
     <request-map uri="additemsurvey">
         <security https="false" auth="false"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" 
path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="request" value="additem"/>
         <response name="error" type="view" value="main"/>
     </request-map>
@@ -1202,13 +1202,13 @@
     </request-map>
     <request-map uri="profilesurvey">
         <security https="true" auth="true"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" 
path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="view" value="profilesurvey"/>
         <response name="error" type="view" value="profilesurvey"/>
     </request-map>
     <request-map uri="minipoll">
         <security https="false" auth="false"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" 
path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="view" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>

svn commit: r889050 - in /ofbiz/branches/release09.04: applications/content/src/org/ofbiz/content/survey/ applications/order/src/org/ofbiz/order/shoppingcart/ applications/order/webapp/ordermgr/WEB-INF/ applications/order/webapp/ordermgr/WEB-INF/action...

Reply via email to