(ofbiz-plugins) branch release24.09 updated: Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

Sat, 31 Jan 2026 07:45:10 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-plugins.git


The following commit(s) were added to refs/heads/release24.09 by this push:
     new 31ad0861a Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
31ad0861a is described below

commit 31ad0861aca3626fe121d485d71eee50eb359788
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat Jan 31 16:43:39 2026 +0100

    Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
    
    The SOAP and HTTP engines are open doors to security issues.
    At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them 
out
    as we did for RMI in the past.
---
 ecommerce/webapp/ecommerce/WEB-INF/controller.xml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml 
b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
index 3d7fa706b..2a0f67fd8 100644
--- a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
+++ b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -26,7 +26,10 @@ under the License.
 
     <handler name="java" type="request" 
class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
     <handler name="groovy" type="request" 
class="org.apache.ofbiz.webapp.event.GroovyEventHandler"/>
-    <!-- <handler name="soap" type="request" 
class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
+    <!-- The service below have been commented out for security reason, see 
OFBIZ-12212  -->
+    <!-- If you feel it's ok with you (e.g. totally secured Internet access, 
or rather
+         no access at all which is safer!) you may uncomment and use. -->
+     <!-- <handler name="soap" type="request" 
class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
     <handler name="service" type="request" 
class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
     <handler name="service-multi" type="request" 
class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
     <handler name="simple" type="request" 
class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/>

Reply via email to