Jacques,as I said, this is a huge patch which spreads over many functionalies in the codebase.
It was submitted yesterday and got committed on the same day without enough time for others to review and test. You even acknowledged that you did not test.
How can this be considered as a valid base for a security fix without in-depth testing?
Michael Brohl ecomify GmbH - www.ecomify.de Am 13.02.20 um 06:45 schrieb Jacques Le Roux:
Hi Michael,I'll backport to R17 and R17 because this will be needed to fix the CSRF vulnerability.I was not clear with my saying. Actually the CSRF fix (OFBIZ-11316) depends upon OFBIZ-11317 because the CSRF fix uses the ofbizURL macro to set the CSRF token.So without the changes in OFBIZ-11317 the ofbizURL macro would not apply to the cases fixed in OFBIZ-11317 and the CSRF vulnerability would not be fixed there.So I should not even ask this question, OFBIZ-11316 depends on OFBIZ-11317 so OFBIZ-11317 needs to be backportedI set all that already (as the link between OFBIZ-11316 and OFBIZ-11317shows) but forgot about it.Case close, thanks to care. Jacques Le 12/02/2020 à 16:49, Michael Brohl a écrit :Hi Jacques, what exactly are you going to do? And why?OFBIZ-11317 contains a huge patch and we should be really careful backporting IMO.Regards, Michael Brohl ecomify GmbH - www.ecomify.de Am 12.02.20 um 16:08 schrieb Jacques Le Roux:Hi All,Even if OFBIZ-11306 does not directly depend upon it, it's safer to have been backported with it.If nobody disagree, I'll do so in a week Thanks Jacques
smime.p7s
Description: S/MIME Cryptographic Signature