[ https://issues.apache.org/jira/browse/OFBIZ-13130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895565#comment-17895565 ]
Jacques Le Roux commented on OFBIZ-13130: ----------------------------------------- Hi Sebastian, Sorry to bother you. I stumbled upon a weird issue in Eclipse while browsing a controller file with "auth=" in (e.g. common-controller.xml) While over "auth=", it says: bq. cvc-complex-type.3.2.2: Attribute 'auth' is not allowed to appear in element 'view-map'. I checked all is correct in site-conf.xsd and it's present at https://ofbiz.apache.org/dtds/site-conf.xsd It's not a big deal but I really wonder why this happens. > [CVE-2024-45195] Add permission check for view-maps and change defaults for > request-maps > ---------------------------------------------------------------------------------------- > > Key: OFBIZ-13130 > URL: https://issues.apache.org/jira/browse/OFBIZ-13130 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS, ALL COMPONENTS, ALL PLUGINS > Affects Versions: 18.12.15 > Reporter: Sebastian Tschikin > Assignee: Sebastian Tschikin > Priority: Major > Fix For: 18.12.16 > > > If a user is not authorized, the system should not allow access to rendered > views. > Additionally, the default for the request-map paramerters "auth" and "https" > should be set to "true". > This improvement aims to enhance security by preventing unauthorized access. -- This message was sent by Atlassian Jira (v8.20.10#820010)