This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git
The following commit(s) were added to refs/heads/release18.12 by this push: new 8926d68 Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348) 8926d68 is described below commit 8926d686c9769c331139b7165692fb38509efe81 Author: Jacques Le Roux <jacques.le.r...@les7arts.com> AuthorDate: Fri Feb 14 10:22:15 2020 +0100 Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348) No functional change, simply amend the comment --- ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml index 4a00dce..130ea4e 100644 --- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml +++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml @@ -1821,10 +1821,11 @@ under the License. <response name="error" type="view" value="main"/> </request-map> -<!-- A vulnerability has been reported to the OFBiz security team. We were able to quickly and quietly fix it in supported versions, - but in the ecommerce component. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily - comment out the "stream" request-map in ecommerce controller. We will later fix the specific issue in ecommerce to put back the - functionnalities allowed by the "stream" request-map in ecommerce controller. See OFBIZ-11348 --> +<!-- A vulnerability has been reported to the OFBiz security team. + To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily + comment out the "stream" request-map in this controller. We will later fix the specific issue to put back the + functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11353 + This will be later be put back with OFBIZ-11349 --> <!-- <request-map uri="stream"> <event type="java" path="org.apache.ofbiz.content.data.DataEvents" invoke="serveObjectData"/> <response name="success" type="none"/>