[ 
https://issues.apache.org/jira/browse/OFBIZ-13130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895565#comment-17895565
 ] 

Jacques Le Roux commented on OFBIZ-13130:
-----------------------------------------

Hi Sebastian,

Sorry to bother you. I stumbled upon a weird issue in Eclipse while browsing a 
controller file with "auth=" in (e.g. common-controller.xml)

While over "auth=", it says: 
bq. cvc-complex-type.3.2.2: Attribute 'auth' is not allowed to appear in 
element 'view-map'.

I checked all is correct in site-conf.xsd and it's present at 
https://ofbiz.apache.org/dtds/site-conf.xsd
It's not a big deal but I really wonder why this happens.



> [CVE-2024-45195] Add permission check for view-maps and change defaults for 
> request-maps
> ----------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-13130
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-13130
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ALL APPLICATIONS, ALL COMPONENTS, ALL PLUGINS
>    Affects Versions: 18.12.15
>            Reporter: Sebastian Tschikin
>            Assignee: Sebastian Tschikin
>            Priority: Major
>             Fix For: 18.12.16
>
>
> If a user is not authorized, the system should not allow access to rendered 
> views.
> Additionally, the default for the request-map paramerters "auth" and "https" 
> should be set to "true".
> This improvement aims to enhance security by preventing unauthorized access.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to