Michael,
Inline...
Le 13/02/2020 à 07:58, Michael Brohl a écrit :
Jacques,
as I said, this is a huge patch which spreads over many functionalies in the
codebase.
It was submitted yesterday and got committed on the same day without enough time for others to review and test.
You confuse, the commit you speak about was only to complete one missing
instance, spotted by Pierre Smits, in the commit done one month ago.
Since then James and I work on OFBIZ-11306 (and not OFBIZ-11316 as written below) without any issues related to OFBIZ-11317 on which OFBIZ-11306
depends upon.
Actually we are working on it for 2 months. Only one month ago I suggested to
James to extract this part.
You even acknowledged that you did not test.
Of course I test, everyday for a month with OFBIZ-11306
How can this be considered as a valid base for a security fix without in-depth
testing?
I think you got it answered
Jacques
Michael Brohl
ecomify GmbH - www.ecomify.de
Am 13.02.20 um 06:45 schrieb Jacques Le Roux:
Hi Michael,
I'll backport to R17 and R17 because this will be needed to fix the CSRF
vulnerability.
I was not clear with my saying. Actually the CSRF fix (OFBIZ-11316) depends upon OFBIZ-11317 because the CSRF fix uses the ofbizURL macro to set
the CSRF token.
So without the changes in OFBIZ-11317 the ofbizURL macro would not apply to the cases fixed in OFBIZ-11317 and the CSRF vulnerability would not be
fixed there.
So I should not even ask this question, OFBIZ-11316 depends on OFBIZ-11317 so
OFBIZ-11317 needs to be backported
I set all that already (as the link between OFBIZ-11316 and OFBIZ-11317shows)
but forgot about it.
Case close, thanks to care.
Jacques
Le 12/02/2020 à 16:49, Michael Brohl a écrit :
Hi Jacques,
what exactly are you going to do? And why?
OFBIZ-11317 contains a huge patch and we should be really careful backporting
IMO.
Regards,
Michael Brohl
ecomify GmbH - www.ecomify.de
Am 12.02.20 um 16:08 schrieb Jacques Le Roux:
Hi All,
Even if OFBIZ-11306 does not directly depend upon it, it's safer to have been
backported with it.
If nobody disagree, I'll do so in a week
Thanks
Jacques
