OFBIZ-11317 is NOT a huge commit. It is nothing more than a removal of a hard-coded path in 66 files spread over 4 commits. With impact, as the stated in the ticket, classified as minor. The code changes have been tested by the project's CI, since incorporated into the code base and have not led to breaking the code.
Best regards, Pierre Smits *Proud* *contributor* (but without privileges)* of* Apache OFBiz <https://ofbiz.apache.org/>, since 2008 *Apache Trafodion <https://trafodion.apache.org>, Vice President* *Apache Directory <https://directory.apache.org>, PMC Member* Apache Incubator <https://incubator.apache.org>, committer Apache Steve <https://steve.apache.org>, committer On Thu, Feb 13, 2020 at 8:51 AM Jacques Le Roux < [email protected]> wrote: > Michael, > > Inline... > > Le 13/02/2020 à 07:58, Michael Brohl a écrit : > > Jacques, > > > > as I said, this is a huge patch which spreads over many functionalies in > the codebase. > > > > It was submitted yesterday and got committed on the same day without > enough time for others to review and test. > > You confuse, the commit you speak about was only to complete one missing > instance, spotted by Pierre Smits, in the commit done one month ago. > > Since then James and I work on OFBIZ-11306 (and not OFBIZ-11316 as written > below) without any issues related to OFBIZ-11317 on which OFBIZ-11306 > depends upon. > > Actually we are working on it for 2 months. Only one month ago I suggested > to James to extract this part. > > > > You even acknowledged that you did not test. > > Of course I test, everyday for a month with OFBIZ-11306 > > > > > > How can this be considered as a valid base for a security fix without > in-depth testing? > > I think you got it answered > > Jacques > > > > > > > Michael Brohl > > > > ecomify GmbH - www.ecomify.de > > > > > > Am 13.02.20 um 06:45 schrieb Jacques Le Roux: > >> Hi Michael, > >> > >> I'll backport to R17 and R17 because this will be needed to fix the > CSRF vulnerability. > >> > >> I was not clear with my saying. Actually the CSRF fix (OFBIZ-11316) > depends upon OFBIZ-11317 because the CSRF fix uses the ofbizURL macro to > set > >> the CSRF token. > >> > >> So without the changes in OFBIZ-11317 the ofbizURL macro would not > apply to the cases fixed in OFBIZ-11317 and the CSRF vulnerability would > not be > >> fixed there. > >> > >> So I should not even ask this question, OFBIZ-11316 depends on > OFBIZ-11317 so OFBIZ-11317 needs to be backported > >> > >> I set all that already (as the link between OFBIZ-11316 and > OFBIZ-11317shows) but forgot about it. > >> > >> Case close, thanks to care. > >> > >> Jacques > >> > >> Le 12/02/2020 à 16:49, Michael Brohl a écrit : > >>> Hi Jacques, > >>> > >>> what exactly are you going to do? And why? > >>> > >>> OFBIZ-11317 contains a huge patch and we should be really careful > backporting IMO. > >>> > >>> Regards, > >>> > >>> Michael Brohl > >>> > >>> ecomify GmbH - www.ecomify.de > >>> > >>> > >>> Am 12.02.20 um 16:08 schrieb Jacques Le Roux: > >>>> Hi All, > >>>> > >>>> Even if OFBIZ-11306 does not directly depend upon it, it's safer to > have been backported with it. > >>>> > >>>> If nobody disagree, I'll do so in a week > >>>> > >>>> Thanks > >>>> > >>>> Jacques > >>>> > >>> > > >
