buildbot success in on ofbizBranch18FrameworkPlugins
The Buildbot has detected a restored build on builder ofbizBranch18FrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch18FrameworkPlugins/builds/599 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: downstream Build Source Stamp: [branch release18.12] c5aeab0fe9845026533e1fbf9a46ec8f9c3292d5 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
buildbot success in on ofbizBranch17FrameworkPlugins
The Buildbot has detected a restored build on builder ofbizBranch17FrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch17FrameworkPlugins/builds/705 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: downstream Build Source Stamp: [branch release17.12] c859c6f63664ddc12f1ea19355af52d4710ba385 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
buildbot success in on ofbizBranch18Framework
The Buildbot has detected a restored build on builder ofbizBranch18Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch18Framework/builds/553 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch18FrameworkCommit' triggered this build Build Source Stamp: [branch release18.12] c5aeab0fe9845026533e1fbf9a46ec8f9c3292d5 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
buildbot success in on ofbizBranch17Framework
The Buildbot has detected a restored build on builder ofbizBranch17Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch17Framework/builds/646 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch17FrameworkCommit' triggered this build Build Source Stamp: [branch release17.12] c859c6f63664ddc12f1ea19355af52d4710ba385 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new c5aeab0 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) c5aeab0 is described below commit c5aeab0fe9845026533e1fbf9a46ec8f9c3292d5 Author: Jacques Le Roux AuthorDate: Sun Oct 10 17:27:48 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) When I removed service-permission-tests, I forgot to remove associated load-data-service-permission-tests :/ --- framework/service/testdef/servicetests.xml | 3 --- 1 file changed, 3 deletions(-) diff --git a/framework/service/testdef/servicetests.xml b/framework/service/testdef/servicetests.xml index 29473eb..64b55b1 100644 --- a/framework/service/testdef/servicetests.xml +++ b/framework/service/testdef/servicetests.xml @@ -73,7 +73,4 @@ under the License. - - -
[ofbiz-framework] branch release17.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new c859c6f Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) c859c6f is described below commit c859c6f63664ddc12f1ea19355af52d4710ba385 Author: Jacques Le Roux AuthorDate: Sun Oct 10 17:27:48 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) When I removed service-permission-tests, I forgot to remove associated load-data-service-permission-tests :/ --- framework/service/testdef/servicetests.xml | 3 --- 1 file changed, 3 deletions(-) diff --git a/framework/service/testdef/servicetests.xml b/framework/service/testdef/servicetests.xml index 29473eb..64b55b1 100644 --- a/framework/service/testdef/servicetests.xml +++ b/framework/service/testdef/servicetests.xml @@ -73,7 +73,4 @@ under the License. - - -
buildbot success in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a restored build on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2254 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 3dbcb70f78f9addd13331880748b872f20806ae2 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 92c4c5d Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) 92c4c5d is described below commit 92c4c5dbfe5e43776b737049824753c63c69cbe5 Author: Jacques Le Roux AuthorDate: Sun Oct 10 13:32:49 2021 +0200 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Fixes a typo about filterConfiguration in CacheFilter.java --- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index b2f0514..65931cf 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -79,7 +79,7 @@ public class CacheFilter implements Filter { * Does not return within a time period defined by the web container * * The default implementation is a NO-OP. - * @param filterConfig The configuration information associated with the filter instance being initialised + * @param filterConfiguration The configuration information associated with the filter instance being initialised * @throws ServletException if the initialisation fails */ public void init(FilterConfig filterConfiguration) throws ServletException {
[ofbiz-framework] branch release17.12 updated: Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new d960b2b Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) d960b2b is described below commit d960b2b0caf14b706271e516ea7eb39c4eb32551 Author: Jacques Le Roux AuthorDate: Sun Oct 10 13:32:49 2021 +0200 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Fixes a typo about filterConfiguration in CacheFilter.java --- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index b2f0514..65931cf 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -79,7 +79,7 @@ public class CacheFilter implements Filter { * Does not return within a time period defined by the web container * * The default implementation is a NO-OP. - * @param filterConfig The configuration information associated with the filter instance being initialised + * @param filterConfiguration The configuration information associated with the filter instance being initialised * @throws ServletException if the initialisation fails */ public void init(FilterConfig filterConfiguration) throws ServletException {
[ofbiz-framework] branch trunk updated: Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 351d752 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) 351d752 is described below commit 351d752690bf0f15b441d2dd468f8caf5cb202de Author: Jacques Le Roux AuthorDate: Sun Oct 10 13:32:49 2021 +0200 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Fixes a typo about filterConfiguration in CacheFilter.java --- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index b2f0514..65931cf 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -79,7 +79,7 @@ public class CacheFilter implements Filter { * Does not return within a time period defined by the web container * * The default implementation is a NO-OP. - * @param filterConfig The configuration information associated with the filter instance being initialised + * @param filterConfiguration The configuration information associated with the filter instance being initialised * @throws ServletException if the initialisation fails */ public void init(FilterConfig filterConfiguration) throws ServletException {
[ofbiz-framework] branch release18.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new abb3fe3 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) abb3fe3 is described below commit abb3fe31c2a077624459679bae8ba822a9e4f1f2 Author: Jacques Le Roux AuthorDate: Sun Oct 10 13:24:23 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) Removes service-permission-tests accidentally added while handling conflicts by hand --- framework/service/testdef/servicetests.xml | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/framework/service/testdef/servicetests.xml b/framework/service/testdef/servicetests.xml index 3fb82fb..29473eb 100644 --- a/framework/service/testdef/servicetests.xml +++ b/framework/service/testdef/servicetests.xml @@ -66,7 +66,7 @@ under the License. - + @@ -76,7 +76,4 @@ under the License. - - -
[ofbiz-framework] branch release17.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new 1c93a26 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) 1c93a26 is described below commit 1c93a26ccc62bc41f2b062ec93fe8eead70d1e43 Author: Jacques Le Roux AuthorDate: Sun Oct 10 13:24:23 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) Removes service-permission-tests accidentally added while handling conflicts by hand --- framework/service/testdef/servicetests.xml | 5 + 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/framework/service/testdef/servicetests.xml b/framework/service/testdef/servicetests.xml index 3fb82fb..29473eb 100644 --- a/framework/service/testdef/servicetests.xml +++ b/framework/service/testdef/servicetests.xml @@ -66,7 +66,7 @@ under the License. - + @@ -76,7 +76,4 @@ under the License. - - -
buildbot exception in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a build exception on builder ofbizTrunkFrameworkPlugins while building . Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/2252 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after supposed BuildBot error Build Source Stamp: HEAD Blamelist: BUILD FAILED: exception javadoc upload test-results part 1 Sincerely, -The Buildbot
buildbot success in on ofbizTrunkFramework
The Buildbot has detected a restored build on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/2347 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] 3dc7731689122d1bdacf72a6f0f6a7cbf3b00376 Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
buildbot exception in on ofbizBranch18FrameworkPlugins
The Buildbot has detected a build exception on builder ofbizBranch18FrameworkPlugins while building . Full details are available at: https://ci.apache.org/builders/ofbizBranch18FrameworkPlugins/builds/598 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after supposed BuildBot error Build Source Stamp: HEAD Blamelist: BUILD FAILED: exception shell_5 upload_4 Sincerely, -The Buildbot
buildbot exception in on ofbizBranch17FrameworkPlugins
The Buildbot has detected a build exception on builder ofbizBranch17FrameworkPlugins while building . Full details are available at: https://ci.apache.org/builders/ofbizBranch17FrameworkPlugins/builds/704 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after supposed BuildBot error Build Source Stamp: HEAD Blamelist: BUILD FAILED: exception shell_5 upload_4 Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 6872e2a Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) 6872e2a is described below commit 6872e2a6954dd858ae08a850949c0d4882ced13c Author: Jacques Le Roux AuthorDate: Sun Oct 10 11:24:55 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it was actually "/control/xmlrpc" --- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index de15e3f..b2f0514 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -57,7 +57,7 @@ public class CacheFilter implements Filter { String uriWithContext = ((HttpServletRequest) request).getRequestURI(); String uri = uriWithContext.substring(context.length()); -if ("xmlrpc".equals(uri.toLowerCase())) { +if ("/control/xmlrpc".equals(uri.toLowerCase())) { // Read request.getReader() as many time you need request = new RequestWrapper((HttpServletRequest) request); String body = request.getReader().lines().collect(Collectors.joining());
[ofbiz-framework] branch release17.12 updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new 006ce17 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) 006ce17 is described below commit 006ce17647f591fc90aa64a46856e5c1d2b9597a Author: Jacques Le Roux AuthorDate: Sun Oct 10 11:24:55 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it was actually "/control/xmlrpc" --- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index de15e3f..b2f0514 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -57,7 +57,7 @@ public class CacheFilter implements Filter { String uriWithContext = ((HttpServletRequest) request).getRequestURI(); String uri = uriWithContext.substring(context.length()); -if ("xmlrpc".equals(uri.toLowerCase())) { +if ("/control/xmlrpc".equals(uri.toLowerCase())) { // Read request.getReader() as many time you need request = new RequestWrapper((HttpServletRequest) request); String body = request.getReader().lines().collect(Collectors.joining());
[ofbiz-framework] branch trunk updated: Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 3dbcb70 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) 3dbcb70 is described below commit 3dbcb70f78f9addd13331880748b872f20806ae2 Author: Jacques Le Roux AuthorDate: Sun Oct 10 12:13:13 2021 +0200 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) Forgot the change in build.gradle --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index 9777a85..5eab219 100644 --- a/build.gradle +++ b/build.gradle @@ -336,7 +336,7 @@ checkstyle { // the sum of errors found last time it was changed after using the // ‘checkstyle’ tool present in the framework and in the official // plugins. -tasks.checkstyleMain.maxErrors = 115 +tasks.checkstyleMain.maxErrors = 54 // Currently there are still errors so we need to temporarily // hide them to avoid polluting the terminal output. showViolations = false
[ofbiz-framework] branch trunk updated (a5bdcc6 -> 3dc7731)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from a5bdcc6 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) new 19d2932 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) new 3dc7731 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: config/checkstyle/checkstyle.xml| 2 +- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
[ofbiz-framework] 01/02: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 19d29325910ee2c904b63a951437aa59f73f1d93 Author: Jacques Le Roux AuthorDate: Sun Oct 10 11:24:55 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) In previous commit, in CacheFilter::doFilter, I checked "xmlrpc" when it was actually "/control/xmlrpc" --- .../base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index de15e3f..b2f0514 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -57,7 +57,7 @@ public class CacheFilter implements Filter { String uriWithContext = ((HttpServletRequest) request).getRequestURI(); String uri = uriWithContext.substring(context.length()); -if ("xmlrpc".equals(uri.toLowerCase())) { +if ("/control/xmlrpc".equals(uri.toLowerCase())) { // Read request.getReader() as many time you need request = new RequestWrapper((HttpServletRequest) request); String body = request.getReader().lines().collect(Collectors.joining());
[ofbiz-framework] 02/02: Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 3dc7731689122d1bdacf72a6f0f6a7cbf3b00376 Author: Jacques Le Roux AuthorDate: Sun Oct 10 11:49:38 2021 +0200 Improved: Refactor methods signature to reduce the number of params they use (OFBIZ-12335) We currently have 115 checkstyle errors, most are related to methods using a too high number of params. Obviously nobody have currently time to work on this issue. This commit increases the max ParameterNumber to 26 to hide all current related errors. This reduces checkstyle errors to 54. It also allows to easier focus on other errors. It still possible to works on OFBIZ-12335 by temporary reverting this commit or replacing max ParameterNumber by the number wanted (was 10, is 7 by default) --- config/checkstyle/checkstyle.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/checkstyle/checkstyle.xml b/config/checkstyle/checkstyle.xml index 9bb4278..dbfa21a 100644 --- a/config/checkstyle/checkstyle.xml +++ b/config/checkstyle/checkstyle.xml @@ -74,7 +74,7 @@ under the License. - +
[ofbiz-framework] branch release17.12 updated (7db83d6 -> b6257b7)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from 7db83d6 Improved: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) new fb49563 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) new b6257b7 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../org/apache/ofbiz/base/util/CacheFilter.java| 115 + .../org/apache/ofbiz/base/util/RequestWrapper.java | 184 + framework/service/testdef/servicetests.xml | 7 +- .../apache/ofbiz/webapp/control/ContextFilter.java | 8 - framework/webtools/webapp/webtools/WEB-INF/web.xml | 9 + 5 files changed, 311 insertions(+), 12 deletions(-) create mode 100644 framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java create mode 100644 framework/base/src/main/java/org/apache/ofbiz/base/util/RequestWrapper.java
[ofbiz-framework] branch trunk updated: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new a5bdcc6 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) a5bdcc6 is described below commit a5bdcc6f9ea59d5d614f64832d5b6acec8e81e97 Author: Jacques Le Roux AuthorDate: Sat Oct 9 19:25:33 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report --- .../org/apache/ofbiz/base/util/CacheFilter.java| 115 + .../org/apache/ofbiz/base/util/RequestWrapper.java | 184 + framework/service/testdef/servicetests.xml | 7 +- .../apache/ofbiz/webapp/control/ContextFilter.java | 8 - framework/webtools/webapp/webtools/WEB-INF/web.xml | 9 + 5 files changed, 311 insertions(+), 12 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java new file mode 100644 index 000..de15e3f --- /dev/null +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -0,0 +1,115 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.IOException; +import java.util.stream.Collectors; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +public class CacheFilter implements Filter { + +private FilterConfig filterConfig = null; + +/** + * The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to + * a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and + * response to the next entity in the chain. + * + * A typical implementation of this method would follow the following pattern:- + * 1. Examine the request + * 2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering + * 3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering + * 4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()), + * 4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing + * 5. Directly set headers on the response after invocation of the next entity in the filter chain. + * @param request The request to process + * @param response The response associated with the request + * @param chain Provides access to the next filter in the chain for this filter to pass the request and response to for further processing + * @throws IOException if an I/O error occurs during this filter's processing of the request + * @throws ServletException if the processing fails for any other reason + */ +public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { +// Get the request URI without the webapp mount point. +String context
[ofbiz-framework] branch release18.12 updated (02a544a -> a1a24bd)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from 02a544a Improved: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) new 25293e4 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) new a1a24bd Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../org/apache/ofbiz/base/util/CacheFilter.java| 115 + .../org/apache/ofbiz/base/util/RequestWrapper.java | 184 + framework/service/testdef/servicetests.xml | 7 +- .../apache/ofbiz/webapp/control/ContextFilter.java | 8 - framework/webtools/webapp/webtools/WEB-INF/web.xml | 9 + 5 files changed, 311 insertions(+), 12 deletions(-) create mode 100644 framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java create mode 100644 framework/base/src/main/java/org/apache/ofbiz/base/util/RequestWrapper.java
[ofbiz-framework] 02/02: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit b6257b720ba276306c6f7a96aa324fa5ce383391 Author: Jacques Le Roux AuthorDate: Sat Oct 9 19:25:33 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report # Conflicts handled by hand CacheFilter.java RequestWrapper.java --- .../org/apache/ofbiz/base/util/CacheFilter.java| 58 +++--- .../org/apache/ofbiz/base/util/RequestWrapper.java | 32 2 files changed, 74 insertions(+), 16 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index 95f87f0..de15e3f 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -33,21 +33,67 @@ public class CacheFilter implements Filter { private FilterConfig filterConfig = null; +/** + * The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to + * a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and + * response to the next entity in the chain. + * + * A typical implementation of this method would follow the following pattern:- + * 1. Examine the request + * 2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering + * 3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering + * 4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()), + * 4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing + * 5. Directly set headers on the response after invocation of the next entity in the filter chain. + * @param request The request to process + * @param response The response associated with the request + * @param chain Provides access to the next filter in the chain for this filter to pass the request and response to for further processing + * @throws IOException if an I/O error occurs during this filter's processing of the request + * @throws ServletException if the processing fails for any other reason + */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { -// Read request.getBody() as many time you need -request = new RequestWrapper((HttpServletRequest) request); -String body = request.getReader().lines().collect(Collectors.joining()); -if (body.contains(" + * The web container cannot place the filter into service if the init method either: + * + * Throws a ServletException + * Does not return within a time period defined by the web container + * + * The default implementation is a NO-OP. + * @param filterConfig The configuration information associated with the filter instance being initialised + * @throws ServletException if the initialisation fails + */ public void init(FilterConfig filterConfiguration) throws ServletException { setFilterConfig(filterConfiguration); } +/** + * Called by the web container to indicate to a filter that it is being taken out of service. This method is only called once all threads within + * the filter's doFilter method have exited or after a timeout period has passed. After the web container calls this method, it will not call the + * doFilter method again on this instance of the filter. + * + * This method gives the filter an opportunity to clean up any resources that are being held (for example, memory, file handles, threads) and make + * sure that any persistent state is synchronized with the filter's current state in memory. The default implementation is a NO-OP. + */ public void destroy() { setFilterConfig(null); } diff --git
[ofbiz-framework] 01/02: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit fb495637441cfe331943d34ce2d0943bc8c30552 Author: Jacques Le Roux AuthorDate: Sat Oct 9 19:25:33 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report Conflicts: ContextFilter.java handled by hand --- .../org/apache/ofbiz/base/util/CacheFilter.java| 69 + .../org/apache/ofbiz/base/util/RequestWrapper.java | 172 + framework/service/testdef/servicetests.xml | 7 +- .../apache/ofbiz/webapp/control/ContextFilter.java | 8 - framework/webtools/webapp/webtools/WEB-INF/web.xml | 9 ++ 5 files changed, 253 insertions(+), 12 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java new file mode 100644 index 000..95f87f0 --- /dev/null +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -0,0 +1,69 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.IOException; +import java.util.stream.Collectors; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +public class CacheFilter implements Filter { + +private FilterConfig filterConfig = null; + +public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { +// Read request.getBody() as many time you need +request = new RequestWrapper((HttpServletRequest) request); +String body = request.getReader().lines().collect(Collectors.joining()); +if (body.contains("http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.BufferedReader; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.ReadListener; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; + +public class RequestWrapper extends HttpServletRequestWrapper { + +private static final int INITIAL_BUFFER_SIZE = 1024; +private HttpServletRequest origRequest; +private byte[] reqBytes; +private boolean firstTime = true; +private Map parameterMap = null; + +public RequestWrapper(HttpServletRequest arg0) { +super(arg0); +origRequest = arg0; +} + +public BufferedReader getReader() throws IOException { + +getBytes(); + +
[ofbiz-framework] 01/02: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 25293e4cf6f334a2ae33b3041acba45113dddce9 Author: Jacques Le Roux AuthorDate: Sat Oct 9 19:25:33 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report Conflicts: ContextFilter.java handled by hand --- .../org/apache/ofbiz/base/util/CacheFilter.java| 69 + .../org/apache/ofbiz/base/util/RequestWrapper.java | 172 + framework/service/testdef/servicetests.xml | 7 +- .../apache/ofbiz/webapp/control/ContextFilter.java | 8 - framework/webtools/webapp/webtools/WEB-INF/web.xml | 9 ++ 5 files changed, 253 insertions(+), 12 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java new file mode 100644 index 000..95f87f0 --- /dev/null +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -0,0 +1,69 @@ +/*** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.IOException; +import java.util.stream.Collectors; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletRequest; + +public class CacheFilter implements Filter { + +private FilterConfig filterConfig = null; + +public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { +// Read request.getBody() as many time you need +request = new RequestWrapper((HttpServletRequest) request); +String body = request.getReader().lines().collect(Collectors.joining()); +if (body.contains("http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + ***/ +package org.apache.ofbiz.base.util; + +import java.io.BufferedReader; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.util.Collections; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.Map; + +import javax.servlet.ReadListener; +import javax.servlet.ServletInputStream; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletRequestWrapper; + +public class RequestWrapper extends HttpServletRequestWrapper { + +private static final int INITIAL_BUFFER_SIZE = 1024; +private HttpServletRequest origRequest; +private byte[] reqBytes; +private boolean firstTime = true; +private Map parameterMap = null; + +public RequestWrapper(HttpServletRequest arg0) { +super(arg0); +origRequest = arg0; +} + +public BufferedReader getReader() throws IOException { + +getBytes(); + +
[ofbiz-framework] 02/02: Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit a1a24bd9100ccd16732a92eed61e4f7c05d90ca7 Author: Jacques Le Roux AuthorDate: Sat Oct 9 19:25:33 2021 +0200 Fixed: post-auth Remote Code Execution Vulnerability (OFBIZ-12332) This definitely solves all issues by introducing a CacheFilter and RequestWrapper classes inspired by several works found on the Net. Also moves the change introduced before in ContextFilter to CacheFilter. The basic problem is that you only can use once ServletRequest::getInputStream or the ServletRequest::getReader Also not both, even once, ie they can be seen as same from this POV. The integration tests all pass. Also replace the checked String "" by "" Thanks: Jie Zhu for report # Conflicts handled by hand CacheFilter.java RequestWrapper.java --- .../org/apache/ofbiz/base/util/CacheFilter.java| 58 +++--- .../org/apache/ofbiz/base/util/RequestWrapper.java | 32 2 files changed, 74 insertions(+), 16 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java index 95f87f0..de15e3f 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/CacheFilter.java @@ -33,21 +33,67 @@ public class CacheFilter implements Filter { private FilterConfig filterConfig = null; +/** + * The doFilter method of the Filter is called by the container each time a request/response pair is passed through the chain due to + * a client request for a resource at the end of the chain. The FilterChain passed in to this method allows the Filter to pass on the request and + * response to the next entity in the chain. + * + * A typical implementation of this method would follow the following pattern:- + * 1. Examine the request + * 2. Optionally wrap the request object with a custom implementation to filter content or headers for input filtering + * 3. Optionally wrap the response object with a custom implementation to filter content or headers for output filtering + * 4. a) Either invoke the next entity in the chain using the FilterChain object (chain.doFilter()), + * 4. b) or not pass on the request/response pair to the next entity in the filter chain to block the request processing + * 5. Directly set headers on the response after invocation of the next entity in the filter chain. + * @param request The request to process + * @param response The response associated with the request + * @param chain Provides access to the next filter in the chain for this filter to pass the request and response to for further processing + * @throws IOException if an I/O error occurs during this filter's processing of the request + * @throws ServletException if the processing fails for any other reason + */ public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { -// Read request.getBody() as many time you need -request = new RequestWrapper((HttpServletRequest) request); -String body = request.getReader().lines().collect(Collectors.joining()); -if (body.contains(" + * The web container cannot place the filter into service if the init method either: + * + * Throws a ServletException + * Does not return within a time period defined by the web container + * + * The default implementation is a NO-OP. + * @param filterConfig The configuration information associated with the filter instance being initialised + * @throws ServletException if the initialisation fails + */ public void init(FilterConfig filterConfiguration) throws ServletException { setFilterConfig(filterConfiguration); } +/** + * Called by the web container to indicate to a filter that it is being taken out of service. This method is only called once all threads within + * the filter's doFilter method have exited or after a timeout period has passed. After the web container calls this method, it will not call the + * doFilter method again on this instance of the filter. + * + * This method gives the filter an opportunity to clean up any resources that are being held (for example, memory, file handles, threads) and make + * sure that any persistent state is synchronized with the filter's current state in memory. The default implementation is a NO-OP. + */ public void destroy() { setFilterConfig(null); } diff --git