Re: Error.ftl everywhere

Wed, 15 Jul 2020 12:11:35 -0700 


Le 05/07/2020 à 16:50, Jacques Le Roux a écrit :

Hi,

While working on OFBIZ-11840 I thought about the solution I used for 
"[CVE-2020-1943] Apache OFBiz XSS Vulnerability"

So I tried that:

diff --git framework/common/webcommon/WEB-INF/common-controller.xml 
framework/common/webcommon/WEB-INF/common-controller.xml
index e6f9394cd4..9291cdbece 100644
--- framework/common/webcommon/WEB-INF/common-controller.xml
+++ framework/common/webcommon/WEB-INF/common-controller.xml
@@ -338,7 +338,7 @@ under the License.
     <!--========================== AJAX events =====================-->

     <!-- View Mappings -->
-    <view-map name="error" page="/error/error.jsp"/>
+    <view-map name="error" type="ftl" 
page="component://common/webcommon/error/Error.ftl"/>
     <view-map name="main" type="none"/>
     <view-map name="login" type="screen" 
page="component://common/widget/CommonScreens.xml#login"/>
     <view-map name="impersonated" type="screen" 
page="component://common/widget/CommonScreens.xml#impersonated"/>
diff --git framework/common/webcommon/WEB-INF/handlers-controller.xml 
framework/common/webcommon/WEB-INF/handlers-controller.xml
index be21b19fd9..1622d10ead 100644
--- framework/common/webcommon/WEB-INF/handlers-controller.xml
+++ framework/common/webcommon/WEB-INF/handlers-controller.xml
@@ -42,4 +42,5 @@ under the License.
     <handler name="screenfop" type="view" 
class="org.apache.ofbiz.widget.renderer.fo.ScreenFopViewHandler"/>
     <handler name="jsp" type="view" 
class="org.apache.ofbiz.webapp.view.JspViewHandler"/>
     <handler name="http" type="view" 
class="org.apache.ofbiz.webapp.view.HttpViewHandler"/>
+    <handler name="ftl" type="view" 
class="org.apache.ofbiz.webapp.ftl.FreeMarkerViewHandler"/>
 </site-conf>

It does not fix the OFBIZ-11840 issue but it works. I mean it correctly 
replaces error.jsp by error.ftl.

Few questions:

1. Why having the ftl handlers only in webtools controller? BTW it makes the 
XSD documentation awkward because it speaks about the ftl handlers being
   in handlers-controller.xml
2. Why not using error.ftl in common-controller.xml instead of error.jsp?
3. Same question for plugins.

I believe we could change all that and definitely get rid of error.jsp 
(error.ftl is already in all supported releases branches)

What do you think?

Jacques


Done with OFBIZ-11890

Jacques























					Reply via email to