[jira] [Assigned] (OFBIZ-10960) UI fix on Party Manager screen
[ https://issues.apache.org/jira/browse/OFBIZ-10960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sourabh Punyani reassigned OFBIZ-10960: --- Assignee: (was: Sourabh Punyani) > UI fix on Party Manager screen > -- > > Key: OFBIZ-10960 > URL: https://issues.apache.org/jira/browse/OFBIZ-10960 > Project: OFBiz > Issue Type: Improvement > Components: party >Reporter: Sourabh Punyani >Priority: Trivial > Attachments: Image1.png > > > Separators should not be there before first menu item on Find Party. > https://demo-trunk.ofbiz.apache.org/partymgr/control/main?externalLoginKey=EL0b278ddf-49af-43f8-adec-cc3c81d75bee > Please refer attachment Image1. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11059) Runtime error exceptions at Leads page
[ https://issues.apache.org/jira/browse/OFBIZ-11059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16848044#comment-16848044 ] Sanjay Yadav commented on OFBIZ-11059: -- Similar issue occuring for FindContact page as well. SFA > Contacts > Click My Contacts button > Runtime error exceptions at Leads page > -- > > Key: OFBIZ-11059 > URL: https://issues.apache.org/jira/browse/OFBIZ-11059 > Project: OFBiz > Issue Type: Bug > Environment: > https://demo-trunk.ofbiz.apache.org/sfa/control/FindLeads?all=false >Reporter: Sanjay Yadav >Priority: Major > Attachments: LeadPageRuntimeException.png > > > Step to recreate issue - > # Login to [https://demo-trunk.ofbiz.apache.org/ordermgr/control/main] > # Application > SFA > # SFA > Lead Manager > # Leads > Click on All Leads button > Actual - Application throw Runtime error exception in My Leads section. > please refer attached snapshot. > Expected - Proper result should display. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10891) Send me this every month link is not working in order items section.
[ https://issues.apache.org/jira/browse/OFBIZ-10891?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] vivek singh bisen reassigned OFBIZ-10891: - Assignee: vivek singh bisen > Send me this every month link is not working in order items section. > > > Key: OFBIZ-10891 > URL: https://issues.apache.org/jira/browse/OFBIZ-10891 > Project: OFBiz > Issue Type: Bug >Affects Versions: Trunk >Reporter: Ashish Sharma >Assignee: vivek singh bisen >Priority: Minor > Attachments: OFBIZ-10891.png > > > *Steps to Reproduce* > 1. Login with valid username and password. > 2. Navigate to ecommerce. > 3. Place a order. > 4. Navigate to order history and click on view link. > 5. Click on link “send me this every month” in order items section. > *Actual Result:* Error message is displayed. > *Screen print attached* -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11059) Runtime error exceptions at Leads page
[ https://issues.apache.org/jira/browse/OFBIZ-11059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sanjay Yadav updated OFBIZ-11059: - Description: Step to recreate issue - # Login to [https://demo-trunk.ofbiz.apache.org/ordermgr/control/main] # Application > SFA # SFA > Lead Manager # Leads > Click on All Leads button Actual - Application throw Runtime error exception in My Leads section. please refer attached snapshot. Expected - Proper result should display. was: Step to recreate issue - # Login to [https://demo-trunk.ofbiz.apache.org/ordermgr/control/main] # Application > SFA # SFA > Lead Manager # Leads > Click on All Leads Actual - Application throw Runtime error exception in My Leads section. please refer attached snapshot. Expected - Proper result should display. > Runtime error exceptions at Leads page > -- > > Key: OFBIZ-11059 > URL: https://issues.apache.org/jira/browse/OFBIZ-11059 > Project: OFBiz > Issue Type: Bug > Environment: > https://demo-trunk.ofbiz.apache.org/sfa/control/FindLeads?all=false >Reporter: Sanjay Yadav >Priority: Major > Attachments: LeadPageRuntimeException.png > > > Step to recreate issue - > # Login to [https://demo-trunk.ofbiz.apache.org/ordermgr/control/main] > # Application > SFA > # SFA > Lead Manager > # Leads > Click on All Leads button > Actual - Application throw Runtime error exception in My Leads section. > please refer attached snapshot. > Expected - Proper result should display. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11059) Runtime error exceptions at Leads page
[ https://issues.apache.org/jira/browse/OFBIZ-11059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sanjay Yadav updated OFBIZ-11059: - Attachment: LeadPageRuntimeException.png > Runtime error exceptions at Leads page > -- > > Key: OFBIZ-11059 > URL: https://issues.apache.org/jira/browse/OFBIZ-11059 > Project: OFBiz > Issue Type: Bug > Environment: > https://demo-trunk.ofbiz.apache.org/sfa/control/FindLeads?all=false >Reporter: Sanjay Yadav >Priority: Major > Attachments: LeadPageRuntimeException.png > > > Step to recreate issue - > # Login to [https://demo-trunk.ofbiz.apache.org/ordermgr/control/main] > # Application > SFA > # SFA > Lead Manager > # Leads > Click on All Leads > Actual - Application throw Runtime error exception in My Leads section. > please refer attached snapshot. > Expected - Proper result should display. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11059) Runtime error exceptions at Leads page
Sanjay Yadav created OFBIZ-11059: Summary: Runtime error exceptions at Leads page Key: OFBIZ-11059 URL: https://issues.apache.org/jira/browse/OFBIZ-11059 Project: OFBiz Issue Type: Bug Environment: https://demo-trunk.ofbiz.apache.org/sfa/control/FindLeads?all=false Reporter: Sanjay Yadav Step to recreate issue - # Login to [https://demo-trunk.ofbiz.apache.org/ordermgr/control/main] # Application > SFA # SFA > Lead Manager # Leads > Click on All Leads Actual - Application throw Runtime error exception in My Leads section. please refer attached snapshot. Expected - Proper result should display. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11058) Issue in creating promotion action
Lalit Dashora created OFBIZ-11058: - Summary: Issue in creating promotion action Key: OFBIZ-11058 URL: https://issues.apache.org/jira/browse/OFBIZ-11058 Project: OFBiz Issue Type: Bug Reporter: Lalit Dashora 1. Navigate to https://demo-trunk.ofbiz.apache.org/catalog/control/FindProductPromo promotion screen. 2. Clik on Add new promotion by clicking on New product promo button. 3. Add promotion rule and further select 'Order Amount Flat' from actions menu. Also set amount eg. 500 4. Click on create action button. 5. System is not creating promotion action. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-8939) Unit test case for service - CheckCreateStockRequirementQoh
[ https://issues.apache.org/jira/browse/OFBIZ-8939?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Anushi Gupta reassigned OFBIZ-8939: --- Assignee: Anushi Gupta > Unit test case for service - CheckCreateStockRequirementQoh > --- > > Key: OFBIZ-8939 > URL: https://issues.apache.org/jira/browse/OFBIZ-8939 > Project: OFBiz > Issue Type: Sub-task > Components: order >Affects Versions: Trunk >Reporter: Avnindra Sharma >Assignee: Anushi Gupta >Priority: Minor > Attachments: OFBIZ-8939.patch > > > Unit test case for service - CheckCreateStockRequirementQoh -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-11035) Add timezone support to recurring job temporal expressions
[ https://issues.apache.org/jira/browse/OFBIZ-11035?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16848038#comment-16848038 ] Pawan Verma commented on OFBIZ-11035: - Added a new field to JobSandbox "recurrenceTimeZone" and used the same field while creating the calendar inside PersistedServiceJob.init() method. Attached patch for the improvement. Thanks! > Add timezone support to recurring job temporal expressions > -- > > Key: OFBIZ-11035 > URL: https://issues.apache.org/jira/browse/OFBIZ-11035 > Project: OFBiz > Issue Type: Improvement > Components: framework/webtools >Affects Versions: Trunk >Reporter: Pawan Verma >Assignee: Pawan Verma >Priority: Major > Attachments: OFBIZ-11035.patch > > > Link of the discussion: [https://markmail.org/message/jsjqmjypaihbbldn] > *As per Scott:* > Trying to decide on the best way to define a *temporal* *expression* for a > recurring job where the *temporal* *expression* should be evaluated using a > *timezone* other than whatever the default *timezone* is for the system. > The use case is having a system that runs on UTC time but needs to send a > report at 5 pm Pacific Time every day regardless of whether or not daylight > savings is in effect. > Two options: > # Add a field to *JobSandbox* such as recurrenceTimeZone (or better name!) > # Use whatever *timezone* is available in the RunTime data service context > Based on the discussion on Dev Mailing list #1 will be used to implement this > feature. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11035) Add timezone support to recurring job temporal expressions
[ https://issues.apache.org/jira/browse/OFBIZ-11035?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pawan Verma updated OFBIZ-11035: Attachment: OFBIZ-11035.patch > Add timezone support to recurring job temporal expressions > -- > > Key: OFBIZ-11035 > URL: https://issues.apache.org/jira/browse/OFBIZ-11035 > Project: OFBiz > Issue Type: Improvement > Components: framework/webtools >Affects Versions: Trunk >Reporter: Pawan Verma >Assignee: Pawan Verma >Priority: Major > Attachments: OFBIZ-11035.patch > > > Link of the discussion: [https://markmail.org/message/jsjqmjypaihbbldn] > *As per Scott:* > Trying to decide on the best way to define a *temporal* *expression* for a > recurring job where the *temporal* *expression* should be evaluated using a > *timezone* other than whatever the default *timezone* is for the system. > The use case is having a system that runs on UTC time but needs to send a > report at 5 pm Pacific Time every day regardless of whether or not daylight > savings is in effect. > Two options: > # Add a field to *JobSandbox* such as recurrenceTimeZone (or better name!) > # Use whatever *timezone* is available in the RunTime data service context > Based on the discussion on Dev Mailing list #1 will be used to implement this > feature. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10705) Replace DateFormat and Simple DateFormat by FastDateFormat
[ https://issues.apache.org/jira/browse/OFBIZ-10705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kumar Rahul reassigned OFBIZ-10705: --- Assignee: (was: Kumar Rahul) > Replace DateFormat and Simple DateFormat by FastDateFormat > --- > > Key: OFBIZ-10705 > URL: https://issues.apache.org/jira/browse/OFBIZ-10705 > Project: OFBiz > Issue Type: Improvement > Components: ALL COMPONENTS >Affects Versions: Trunk >Reporter: Jacques Le Roux >Priority: Minor > > This is a performance improvement and was suggested by [Adrian 6 years > ago|https://markmail.org/message/zbuaef7aaueij5w2] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10379) Exception handling for Add a new Party Role at createInvoiceRole
[ https://issues.apache.org/jira/browse/OFBIZ-10379?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prakhar Kumar reassigned OFBIZ-10379: - Assignee: (was: Prakhar Kumar) > Exception handling for Add a new Party Role at createInvoiceRole > > > Key: OFBIZ-10379 > URL: https://issues.apache.org/jira/browse/OFBIZ-10379 > Project: OFBiz > Issue Type: Bug > Environment: > https://demo-trunk.ofbiz.apache.org/ap/control/createInvoiceRole >Reporter: Aayush jain >Priority: Minor > Attachments: Error.png, OFBIZ-10379.patch > > > Steps: > 1. Open URL https://demo-trunk.ofbiz.apache.org/ap/control/createInvoiceRole > 2. Add a party Id which does not assigned as a role for accounts > 3. Enter Percentage > 4. Click on submit button > Actual Result: > Throwing an exception error for the invalid case, Kindly refer attachment for > the same > Expected Result: > We must handle exceptions with a proper error message, I don't think this is > working fine, It should be correct with proper message. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10013) Screen Rendering issue on Payment Overview screen
[ https://issues.apache.org/jira/browse/OFBIZ-10013?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prakhar Kumar reassigned OFBIZ-10013: - Assignee: (was: Prakhar Kumar) > Screen Rendering issue on Payment Overview screen > - > > Key: OFBIZ-10013 > URL: https://issues.apache.org/jira/browse/OFBIZ-10013 > Project: OFBiz > Issue Type: Bug > Components: accounting >Affects Versions: Trunk, Release Branch 16.11 >Reporter: Pritam Kute >Priority: Major > > Steps to regenerate are - > 1. Go to https://demo-trunk.ofbiz.apache.org/accounting/control/main > 2. Click on "show all payment" payments. > 3. Select any payment of type "Customer Payment" and click on it to go to > overview screen > 4. On overview screen click on the button "Acctg Trans Entries PDF" > Result: > Actual: The broken screen > Should be the PDF with account transaction entries. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-10978) Unable to find any product in Quick Add functionality
[ https://issues.apache.org/jira/browse/OFBIZ-10978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Suraj Khurana closed OFBIZ-10978. - Thanks Vivek Bisen for providing the patch, Pawan Verma and Jacques Le Roux for review. Thanks Padmavati Rawat for reporting the issue. > Unable to find any product in Quick Add functionality > - > > Key: OFBIZ-10978 > URL: https://issues.apache.org/jira/browse/OFBIZ-10978 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Padmavati Rawat >Assignee: Suraj Khurana >Priority: Major > Fix For: 17.12.01, 18.12.01 > > Attachments: OFBIZ-10978.patch, Quikadd.png > > > Steps: > 1. Visit the e-commerce page of the trunk. > 2. Open Quick Add menu from navbar section. > https://demo-trunk.ofbiz.apache.org/ecommerce/control/quickadd > 3. Check the Product list on the screen. > Actual: > Quick Add screen rendering an error "Error: Product not found" on the screen. > Not able to find any option to Quick Add. > Please, refer screenshot: -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10769) ecommerce breadcrumb fails
[ https://issues.apache.org/jira/browse/OFBIZ-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prakhar Kumar reassigned OFBIZ-10769: - Assignee: Prakhar Kumar > ecommerce breadcrumb fails > -- > > Key: OFBIZ-10769 > URL: https://issues.apache.org/jira/browse/OFBIZ-10769 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Assignee: Prakhar Kumar >Priority: Minor > Attachments: Tiny_Chrome_Widget_OFBiz_E_Commerce_Store.png > > > In the 16.11 front end webstore demo the breadrumbs feature on a product page > is working, > {{Main > Widgets > Small Widgets > Tiny Chrome Widget}} > in the trunk demo it is broken > {{Main > > Tiny Chrome Widget}} > Possibly related to OFBiz-9234, but now broken again. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10769) ecommerce breadcrumb fails
[ https://issues.apache.org/jira/browse/OFBIZ-10769?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Prakhar Kumar reassigned OFBIZ-10769: - Assignee: (was: Prakhar Kumar) > ecommerce breadcrumb fails > -- > > Key: OFBIZ-10769 > URL: https://issues.apache.org/jira/browse/OFBIZ-10769 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk >Reporter: Sebastian Wachinger >Priority: Minor > Attachments: Tiny_Chrome_Widget_OFBiz_E_Commerce_Store.png > > > In the 16.11 front end webstore demo the breadrumbs feature on a product page > is working, > {{Main > Widgets > Small Widgets > Tiny Chrome Widget}} > in the trunk demo it is broken > {{Main > > Tiny Chrome Widget}} > Possibly related to OFBiz-9234, but now broken again. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10636) Convert Picklist related CRUD services from simple to entity-auto
[ https://issues.apache.org/jira/browse/OFBIZ-10636?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ashish Kumar Pandey reassigned OFBIZ-10636: --- Assignee: Ashish Kumar Pandey > Convert Picklist related CRUD services from simple to entity-auto > - > > Key: OFBIZ-10636 > URL: https://issues.apache.org/jira/browse/OFBIZ-10636 > Project: OFBiz > Issue Type: Sub-task >Reporter: Pallavi Goyal >Assignee: Ashish Kumar Pandey >Priority: Major > > The simple service updates the picklist and creates a record for > 'PicklistStatusHistory'. > It can be improved by converting the "updatePicklist' as entity-auto and > adding a seca for creating the picklist status history record. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11014) StringUtil cleanup
[ https://issues.apache.org/jira/browse/OFBIZ-11014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mathieu Lirzin updated OFBIZ-11014: --- Attachment: OFBIZ-11014_0014-Turn-StringUtilTests-into-a-unit-test.patch > StringUtil cleanup > -- > > Key: OFBIZ-11014 > URL: https://issues.apache.org/jira/browse/OFBIZ-11014 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Mathieu Lirzin >Assignee: Mathieu Lirzin >Priority: Minor > Attachments: > OFBIZ-11014_0001-Remove-useless-StringUtil-join-overload.patch, > OFBIZ-11014_0002-Rewrite-StringUtil-join-method.patch, > OFBIZ-11014_0003-Remove-unused-StringUtil-append-method.patch, > OFBIZ-11014_0004-Remove-unused-StringUtil-split-overload.patch, > OFBIZ-11014_0005-Inline-StringUtil-quoteStrList-method.patch, > OFBIZ-11014_0006-Remove-unused-StringUtil-strToMap-overload.patch, > OFBIZ-11014_0007-Remove-unused-StringUtil-mapToStr-method.patch, > OFBIZ-11014_0008-Remove-unused-StringUtil-convertChar-method.patch, > OFBIZ-11014_0009-Remove-unused-StringUtil-removeNumeric-meth.patch, > OFBIZ-11014_0010-Remove-unused-StringUtil-collapseNewlines-m.patch, > OFBIZ-11014_0011-Remove-unused-StringUtil-collapseSpaces-met.patch, > OFBIZ-11014_0012-Remove-unused-StringUtil-collapseCharacter.patch, > OFBIZ-11014_0013-Remove-unused-StringUtil-appendTo-methods.patch, > OFBIZ-11014_0014-Turn-StringUtilTests-into-a-unit-test.patch > > > {{StringUtil}} contains stuff that is not useful with recent version of Java. > For example the {{StringUtil#split}} method could be replaced by the > {{String#split}} method. As a consequence {{StringUtil}} should be cleaned up. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11014) StringUtil cleanup
[ https://issues.apache.org/jira/browse/OFBIZ-11014?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mathieu Lirzin updated OFBIZ-11014: --- Attachment: OFBIZ-11014_0001-Remove-useless-StringUtil-join-overload.patch OFBIZ-11014_0002-Rewrite-StringUtil-join-method.patch OFBIZ-11014_0003-Remove-unused-StringUtil-append-method.patch OFBIZ-11014_0004-Remove-unused-StringUtil-split-overload.patch OFBIZ-11014_0005-Inline-StringUtil-quoteStrList-method.patch OFBIZ-11014_0006-Remove-unused-StringUtil-strToMap-overload.patch OFBIZ-11014_0007-Remove-unused-StringUtil-mapToStr-method.patch OFBIZ-11014_0008-Remove-unused-StringUtil-convertChar-method.patch OFBIZ-11014_0009-Remove-unused-StringUtil-removeNumeric-meth.patch OFBIZ-11014_0010-Remove-unused-StringUtil-collapseNewlines-m.patch OFBIZ-11014_0011-Remove-unused-StringUtil-collapseSpaces-met.patch OFBIZ-11014_0012-Remove-unused-StringUtil-collapseCharacter.patch OFBIZ-11014_0013-Remove-unused-StringUtil-appendTo-methods.patch > StringUtil cleanup > -- > > Key: OFBIZ-11014 > URL: https://issues.apache.org/jira/browse/OFBIZ-11014 > Project: OFBiz > Issue Type: Improvement > Components: framework >Affects Versions: Trunk >Reporter: Mathieu Lirzin >Assignee: Mathieu Lirzin >Priority: Minor > Attachments: > OFBIZ-11014_0001-Remove-useless-StringUtil-join-overload.patch, > OFBIZ-11014_0002-Rewrite-StringUtil-join-method.patch, > OFBIZ-11014_0003-Remove-unused-StringUtil-append-method.patch, > OFBIZ-11014_0004-Remove-unused-StringUtil-split-overload.patch, > OFBIZ-11014_0005-Inline-StringUtil-quoteStrList-method.patch, > OFBIZ-11014_0006-Remove-unused-StringUtil-strToMap-overload.patch, > OFBIZ-11014_0007-Remove-unused-StringUtil-mapToStr-method.patch, > OFBIZ-11014_0008-Remove-unused-StringUtil-convertChar-method.patch, > OFBIZ-11014_0009-Remove-unused-StringUtil-removeNumeric-meth.patch, > OFBIZ-11014_0010-Remove-unused-StringUtil-collapseNewlines-m.patch, > OFBIZ-11014_0011-Remove-unused-StringUtil-collapseSpaces-met.patch, > OFBIZ-11014_0012-Remove-unused-StringUtil-collapseCharacter.patch, > OFBIZ-11014_0013-Remove-unused-StringUtil-appendTo-methods.patch > > > {{StringUtil}} contains stuff that is not useful with recent version of Java. > For example the {{StringUtil#split}} method could be replaced by the > {{String#split}} method. As a consequence {{StringUtil}} should be cleaned up. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-5254) Services allow arbitrary HTML for parameters with allow-html set to "safe"
[ https://issues.apache.org/jira/browse/OFBIZ-5254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847570#comment-16847570 ] Jacques Le Roux edited comment on OFBIZ-5254 at 5/24/19 5:21 PM: - I commited the last version of the patch in trunk r1859877+1859893(plugins) with few simple conflicts handled by hand in R18 r1859878+1859894(plugins) R17 r1859879+1859895(plugins) R16 r1859880+1859896(plugins) was (Author: jacques.le.roux): I commited the last version of the patch in trunk r1859877 with few simple conflicts handled by hand in R18 r1859878 R17 r1859879 R16 r1859880 > Services allow arbitrary HTML for parameters with allow-html set to "safe" > -- > > Key: OFBIZ-5254 > URL: https://issues.apache.org/jira/browse/OFBIZ-5254 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Christoph Neuroth >Assignee: Jacques Le Roux >Priority: Critical > Labels: security > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, > OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, UtilCodec.java > > > For any given service with allow-html=safe parameters, the parameter data is > not properly validated. See Model.Service.java:588: > {code} > > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > {code} > Looking at that method: > {code} > public static String checkStringForHtmlSafeOnly(String valueName, String > value, List errorMessageList) { > ValidationErrorList vel = new ValidationErrorList(); > value = defaultWebValidator.getValidSafeHTML(valueName, value, > Integer.MAX_VALUE, true, vel); > errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), > String.class)); > return value; > } > {code} > you can see that it expects the defaultWebValidator.getValidSafeHTML would > add all validation errors to the given ValidationErrorList, but if you look > at the implementation of ESAPI that is not the case. First, consider the > overloaded getValidSafeHTML that takes the ValidationErrorList: > {code}public String getValidSafeHTML(String context, String input, > int maxLength, boolean allowNull, ValidationErrorList errors) throws > IntrusionException { > try { > return getValidSafeHTML(context, input, maxLength, > allowNull); > } catch (ValidationException e) { > errors.addError(context, e); > } > return input; > } > {code} > Then, step into that method to see that ValidationExceptions are only thrown > for things like exceeding the maximum length - not for policy violations that > can be "cleaned", such as tags that are not allowed by the policy: > {code} > AntiSamy as = new AntiSamy(); > CleanResults test = as.scan(input, antiSamyPolicy); > List errors = test.getErrorMessages(); > if ( errors.size() > 0 ) { > // just create new exception to get it logged > and intrusion detected > new ValidationException( "Invalid HTML input: > context=" + context, "Invalid HTML input: context=" + context + ", errors=" + > errors, context ); > } > {code} > I guess that is an expected, although maybe not clearly documented behavior > of ESAPI: Non-cleanable violations throw the exception and therefore will > fail the ofbiz service, while non-allowed tags are cleaned. However, if you > consider ModelService:588 and following lines again: > {code} > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > //(...) > if (errorMessageList.size() > 0) { > throw new ServiceValidationException(errorMessageList, this, > mode); > } > {code} > the cleaned return value is ignored. Therefore, you will see an > "IntrusionDetection" in the logs, giving you a false sense of security but > the unfiltered HTML will still go into the service. So, if you want the > service to fail if non-allowed HTML is encountered, you should use > isValidSafeHTML instead. If you want the incoming HTML to be filtered, you > should use the return value of getValidSafeHTML. > Some additional notes on this: > * When changing this, it should be properly documented as users may well be > relying on this behavior - for example, we send full HTML mails to our > customers for their ecommerce purchases and require HTML to go through - so > maybe for services like the
[jira] [Commented] (OFBIZ-10895) Unknown request [images]; this request does not exist or cannot be called directly.
[ https://issues.apache.org/jira/browse/OFBIZ-10895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847684#comment-16847684 ] Jacques Le Roux commented on OFBIZ-10895: - Actually we have 3 cases to handle: # in R16 there is no common theme, simple, few issues # in R17 there is a common theme but it not names the same than in R18 and trunk, more check to be done. Could be useful for R18 and trunk # Already some work done in R18 and trunk, still some to learn by comming from behind So I'll begin by R16 and will pull up > Unknown request [images]; this request does not exist or cannot be called > directly. > --- > > Key: OFBIZ-10895 > URL: https://issues.apache.org/jira/browse/OFBIZ-10895 > Project: OFBiz > Issue Type: Bug > Components: ecommerce, themes >Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, > Release Branch 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > > This error happens in many occasions: > Inside another request (here LookupProduct) > {noformat} > 2019-03-31 12:32:26,215 |jsse-nio-8443-exec-2 |ControlServlet > |T| [[[LookupProduct(Domain:https://localhost)] Request Begun, > encoding=[UTF-8]- total:0.0,since last(Begin):0.0]] > 2019-03-31 12:32:26,222 |jsse-nio-8443-exec-7 |ControlServlet > |T| [[[images(Domain:https://localhost)] Request Begun, encoding=[UTF-8]- > total:0.0,since last(Begin):0.0]] > 2019-03-31 12:32:26,222 |jsse-nio-8443-exec-7 |ControlServlet > |E| Error in request handler: > org.apache.ofbiz.webapp.control.RequestHandlerException: Unknown request > [images]; this request does not exist or cannot be called directly. > at > org.apache.ofbiz.webapp.control.RequestHandler.doRequest(RequestHandler.java:277) > ~[ofbiz.jar:?] > at > org.apache.ofbiz.webapp.control.ControlServlet.doGet(ControlServlet.java:212) > [ofbiz.jar:?] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:645) > [javax.servlet-api-4.0.1.jar:4.0.1] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53) > [tomcat-embed-websocket-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.ofbiz.webapp.control.ContextFilter.doFilter(ContextFilter.java:191) > [ofbiz.jar:?] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.ofbiz.webapp.control.ControlFilter.doFilter(ControlFilter.java:156) > [ofbiz.jar:?] > at javax.servlet.http.HttpFilter.doFilter(HttpFilter.java:127) > [javax.servlet-api-4.0.1.jar:4.0.1] > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74) > [tomcat-catalina-9.0.16.jar:9.0.16] > at > org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668) >
[jira] [Closed] (OFBIZ-9800) French translation of OFBiz website
[ https://issues.apache.org/jira/browse/OFBIZ-9800?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-9800. -- Resolution: Abandoned > French translation of OFBiz website > --- > > Key: OFBIZ-9800 > URL: https://issues.apache.org/jira/browse/OFBIZ-9800 > Project: OFBiz > Issue Type: Improvement > Components: site >Reporter: Olivier Heintz >Assignee: Deepak Dixit >Priority: Minor > Attachments: website-fr.tar, website-fr.tar, website-fr.tar.gz, > website-fr.tar.gz, website-fr.tar.gz, website-fr.tar.gz, website-fr.tar.gz > > > To evaluate the workload of translate all the ofbiz website page in french, > and so to maintain the translation when there are some modifications, I have > start to translate them. > There are between 10 and 15 page to translate, and translate one is between 1 > and 2 hours. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11040) Manage EECAs on delegator.removeBy
[ https://issues.apache.org/jira/browse/OFBIZ-11040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-11040: -- Affects Version/s: Release Branch 18.12 Release Branch 17.12 > Manage EECAs on delegator.removeBy > -- > > Key: OFBIZ-11040 > URL: https://issues.apache.org/jira/browse/OFBIZ-11040 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Fix For: 17.12.01, Upcoming Branch, 18.12.01 > > Attachments: OFBIZ-11040.patch, OFBIZ-11040.patch > > > Currently, when you delete some entities through removeByAnd or > removeByCondition, eeca aren't enable and the remove is quite as regard > implemented rules. > With > {code:java} > event="return"> > > > {code} > And > {code:java} > delegator.removeByAnd('GoodIdentification', [productId: 'WG-']) > {code} > The service indexProduct wasn't call for the productId WG- > To solve this situation, the idea would be delegator.removeValue for each > element to delete when an eeca is present otherwise call the standard > helper.removeByCondition. > This patch [^OFBIZ-11040.patch] provided by [~mleila] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-11040) Manage EECAs on delegator.removeBy
[ https://issues.apache.org/jira/browse/OFBIZ-11040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin closed OFBIZ-11040. - Resolution: Fixed Commited at : * trunk: r1859887 * 18.12: r1859888 * 17.12: r1859889 (with partiel revert, bad forating, on r1859890) Thanks all for the sharing > Manage EECAs on delegator.removeBy > -- > > Key: OFBIZ-11040 > URL: https://issues.apache.org/jira/browse/OFBIZ-11040 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Attachments: OFBIZ-11040.patch, OFBIZ-11040.patch > > > Currently, when you delete some entities through removeByAnd or > removeByCondition, eeca aren't enable and the remove is quite as regard > implemented rules. > With > {code:java} > event="return"> > > > {code} > And > {code:java} > delegator.removeByAnd('GoodIdentification', [productId: 'WG-']) > {code} > The service indexProduct wasn't call for the productId WG- > To solve this situation, the idea would be delegator.removeValue for each > element to delete when an eeca is present otherwise call the standard > helper.removeByCondition. > This patch [^OFBIZ-11040.patch] provided by [~mleila] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11040) Manage EECAs on delegator.removeBy
[ https://issues.apache.org/jira/browse/OFBIZ-11040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-11040: -- Fix Version/s: 18.12.01 Upcoming Branch 17.12.01 > Manage EECAs on delegator.removeBy > -- > > Key: OFBIZ-11040 > URL: https://issues.apache.org/jira/browse/OFBIZ-11040 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Fix For: 17.12.01, Upcoming Branch, 18.12.01 > > Attachments: OFBIZ-11040.patch, OFBIZ-11040.patch > > > Currently, when you delete some entities through removeByAnd or > removeByCondition, eeca aren't enable and the remove is quite as regard > implemented rules. > With > {code:java} > event="return"> > > > {code} > And > {code:java} > delegator.removeByAnd('GoodIdentification', [productId: 'WG-']) > {code} > The service indexProduct wasn't call for the productId WG- > To solve this situation, the idea would be delegator.removeValue for each > element to delete when an eeca is present otherwise call the standard > helper.removeByCondition. > This patch [^OFBIZ-11040.patch] provided by [~mleila] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11057) modify exampledemodata.xml
alain created OFBIZ-11057: - Summary: modify exampledemodata.xml Key: OFBIZ-11057 URL: https://issues.apache.org/jira/browse/OFBIZ-11057 Project: OFBiz Issue Type: Test Components: ALL PLUGINS Affects Versions: 18.12.01 Reporter: alain Fix For: 18.12.01 make test to add the line in the file exampledemodata.xml: {color:#ff}<{color}{color:#80}StatusItem{color} {color:#ff}description{color}{color:#ff}="New"{color} {color:#ff}sequenceId{color}{color:#ff}="07"{color} {color:#ff}statusCode{color}{color:#ff}="NEW"{color} {color:#ff}statusId{color}{color:#ff}="EXST_NEW"{color} {color:#ff}statusTypeId{color}{color:#ff}="EXAMPLE_STATUS"{color}{color:#ff}/>{color} but I don't see this item in the list of status type ? some thing more to update ? thx start evaluation of this interface Alain -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847571#comment-16847571 ] Swapnil M Mane edited comment on OFBIZ-10145 at 5/24/19 2:02 PM: - As discussed over the OFBiz Slack chat group, documented the process to initializing gradle wrapper in README.adoc for Linux based OS, please refer [^init-gradlew-readme.patch] file. Added TODO note for MS Windows OS, as time allows [~jacques.le.roux] will help us here, thanks so much Jacques! :) Thanks! was (Author: swapnilmmane): As discussed over the OFBiz Slack chat group, documented the process to initializing gradle wrapper in README.adoc for Linux based OS, please refer init-gradlew-readme.patch file. Added TODO note for MS Windows OS, as time allows [~jacques.le.roux] will help us here, thanks so much Jacques! :) Thanks! > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh, init-gradlew-readme.patch > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (OFBIZ-5254) Services allow arbitrary HTML for parameters with allow-html set to "safe"
[ https://issues.apache.org/jira/browse/OFBIZ-5254?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847570#comment-16847570 ] Jacques Le Roux edited comment on OFBIZ-5254 at 5/24/19 1:59 PM: - I commited the last version of the patch in trunk r1859877 with few simple conflicts handled by hand in R18 r1859878 R17 r1859879 R16 r1859880 was (Author: jacques.le.roux): I commited the last version of the patch in trunk r1859877 with few conflicts handled by hand in R18 r1859878 R17 r1859879 R16 r1859880 > Services allow arbitrary HTML for parameters with allow-html set to "safe" > -- > > Key: OFBIZ-5254 > URL: https://issues.apache.org/jira/browse/OFBIZ-5254 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Christoph Neuroth >Assignee: Jacques Le Roux >Priority: Critical > Labels: security > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, > OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, UtilCodec.java > > > For any given service with allow-html=safe parameters, the parameter data is > not properly validated. See Model.Service.java:588: > {code} > > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > {code} > Looking at that method: > {code} > public static String checkStringForHtmlSafeOnly(String valueName, String > value, List errorMessageList) { > ValidationErrorList vel = new ValidationErrorList(); > value = defaultWebValidator.getValidSafeHTML(valueName, value, > Integer.MAX_VALUE, true, vel); > errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), > String.class)); > return value; > } > {code} > you can see that it expects the defaultWebValidator.getValidSafeHTML would > add all validation errors to the given ValidationErrorList, but if you look > at the implementation of ESAPI that is not the case. First, consider the > overloaded getValidSafeHTML that takes the ValidationErrorList: > {code}public String getValidSafeHTML(String context, String input, > int maxLength, boolean allowNull, ValidationErrorList errors) throws > IntrusionException { > try { > return getValidSafeHTML(context, input, maxLength, > allowNull); > } catch (ValidationException e) { > errors.addError(context, e); > } > return input; > } > {code} > Then, step into that method to see that ValidationExceptions are only thrown > for things like exceeding the maximum length - not for policy violations that > can be "cleaned", such as tags that are not allowed by the policy: > {code} > AntiSamy as = new AntiSamy(); > CleanResults test = as.scan(input, antiSamyPolicy); > List errors = test.getErrorMessages(); > if ( errors.size() > 0 ) { > // just create new exception to get it logged > and intrusion detected > new ValidationException( "Invalid HTML input: > context=" + context, "Invalid HTML input: context=" + context + ", errors=" + > errors, context ); > } > {code} > I guess that is an expected, although maybe not clearly documented behavior > of ESAPI: Non-cleanable violations throw the exception and therefore will > fail the ofbiz service, while non-allowed tags are cleaned. However, if you > consider ModelService:588 and following lines again: > {code} > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > //(...) > if (errorMessageList.size() > 0) { > throw new ServiceValidationException(errorMessageList, this, > mode); > } > {code} > the cleaned return value is ignored. Therefore, you will see an > "IntrusionDetection" in the logs, giving you a false sense of security but > the unfiltered HTML will still go into the service. So, if you want the > service to fail if non-allowed HTML is encountered, you should use > isValidSafeHTML instead. If you want the incoming HTML to be filtered, you > should use the return value of getValidSafeHTML. > Some additional notes on this: > * When changing this, it should be properly documented as users may well be > relying on this behavior - for example, we send full HTML mails to our > customers for their ecommerce purchases and require HTML to go through - so > maybe for services like the communicationEvents allowing only safe HTML might > not be desired. > * The ESAPI code
[jira] [Commented] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847571#comment-16847571 ] Swapnil M Mane commented on OFBIZ-10145: As discussed over the OFBiz Slack chat group, documented the process to initializing gradle wrapper in README.adoc for Linux based OS, please refer init-gradlew-readme.patch file. Added TODO note for MS Windows OS, as time allows [~jacques.le.roux] will help us here, thanks so much Jacques! :) Thanks! > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh, init-gradlew-readme.patch > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Closed] (OFBIZ-5254) Services allow arbitrary HTML for parameters with allow-html set to "safe"
[ https://issues.apache.org/jira/browse/OFBIZ-5254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-5254. -- Resolution: Fixed Fix Version/s: 18.12.01 16.11.06 17.12.01 I commited the last version of the patch in trunk r1859877 with few conflicts handled by hand in R18 r1859878 R17 r1859879 R16 r1859880 > Services allow arbitrary HTML for parameters with allow-html set to "safe" > -- > > Key: OFBIZ-5254 > URL: https://issues.apache.org/jira/browse/OFBIZ-5254 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Christoph Neuroth >Assignee: Jacques Le Roux >Priority: Critical > Labels: security > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, > OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, UtilCodec.java > > > For any given service with allow-html=safe parameters, the parameter data is > not properly validated. See Model.Service.java:588: > {code} > > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > {code} > Looking at that method: > {code} > public static String checkStringForHtmlSafeOnly(String valueName, String > value, List errorMessageList) { > ValidationErrorList vel = new ValidationErrorList(); > value = defaultWebValidator.getValidSafeHTML(valueName, value, > Integer.MAX_VALUE, true, vel); > errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), > String.class)); > return value; > } > {code} > you can see that it expects the defaultWebValidator.getValidSafeHTML would > add all validation errors to the given ValidationErrorList, but if you look > at the implementation of ESAPI that is not the case. First, consider the > overloaded getValidSafeHTML that takes the ValidationErrorList: > {code}public String getValidSafeHTML(String context, String input, > int maxLength, boolean allowNull, ValidationErrorList errors) throws > IntrusionException { > try { > return getValidSafeHTML(context, input, maxLength, > allowNull); > } catch (ValidationException e) { > errors.addError(context, e); > } > return input; > } > {code} > Then, step into that method to see that ValidationExceptions are only thrown > for things like exceeding the maximum length - not for policy violations that > can be "cleaned", such as tags that are not allowed by the policy: > {code} > AntiSamy as = new AntiSamy(); > CleanResults test = as.scan(input, antiSamyPolicy); > List errors = test.getErrorMessages(); > if ( errors.size() > 0 ) { > // just create new exception to get it logged > and intrusion detected > new ValidationException( "Invalid HTML input: > context=" + context, "Invalid HTML input: context=" + context + ", errors=" + > errors, context ); > } > {code} > I guess that is an expected, although maybe not clearly documented behavior > of ESAPI: Non-cleanable violations throw the exception and therefore will > fail the ofbiz service, while non-allowed tags are cleaned. However, if you > consider ModelService:588 and following lines again: > {code} > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > //(...) > if (errorMessageList.size() > 0) { > throw new ServiceValidationException(errorMessageList, this, > mode); > } > {code} > the cleaned return value is ignored. Therefore, you will see an > "IntrusionDetection" in the logs, giving you a false sense of security but > the unfiltered HTML will still go into the service. So, if you want the > service to fail if non-allowed HTML is encountered, you should use > isValidSafeHTML instead. If you want the incoming HTML to be filtered, you > should use the return value of getValidSafeHTML. > Some additional notes on this: > * When changing this, it should be properly documented as users may well be > relying on this behavior - for example, we send full HTML mails to our > customers for their ecommerce purchases and require HTML to go through - so > maybe for services like the communicationEvents allowing only safe HTML might > not be desired. > * The ESAPI code samples above are from version 1.4.4. I was really surprised > to find a JAR that is not only outdated, but patched and built by a third > party, without even
[jira] [Updated] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Swapnil M Mane updated OFBIZ-10145: --- Attachment: init-gradlew-readme.patch > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh, init-gradlew-readme.patch > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11040) Manage EECAs on delegator.removeBy
[ https://issues.apache.org/jira/browse/OFBIZ-11040?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-11040: -- Issue Type: Bug (was: Improvement) > Manage EECAs on delegator.removeBy > -- > > Key: OFBIZ-11040 > URL: https://issues.apache.org/jira/browse/OFBIZ-11040 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Nicolas Malin >Assignee: Nicolas Malin >Priority: Minor > Attachments: OFBIZ-11040.patch, OFBIZ-11040.patch > > > Currently, when you delete some entities through removeByAnd or > removeByCondition, eeca aren't enable and the remove is quite as regard > implemented rules. > With > {code:java} > event="return"> > > > {code} > And > {code:java} > delegator.removeByAnd('GoodIdentification', [productId: 'WG-']) > {code} > The service indexProduct wasn't call for the productId WG- > To solve this situation, the idea would be delegator.removeValue for each > element to delete when an eeca is present otherwise call the standard > helper.removeByCondition. > This patch [^OFBIZ-11040.patch] provided by [~mleila] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847559#comment-16847559 ] Nicolas Malin commented on OFBIZ-10145: --- I commited at revision r1859876 on ofbiz tools an improvement on support the gradlew init for trunk demo. > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10187) OWASP sanitizer breaks proper rendering of HTML code
[ https://issues.apache.org/jira/browse/OFBIZ-10187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847545#comment-16847545 ] Jacques Le Roux commented on OFBIZ-10187: - Hi Dennis, After our discussion with Dennis, I checked and the pattern ONSITE_URL would be useless without .allowAttributes("background").matching(ONSITE_URL) .onElements("table") .allowAttributes("background").matching(ONSITE_URL) .onElements("td", "th", "tr") So I put them in, in trunk r1859871 R18 r1859872 R17 r1859873 (too fast, when I hit enter I saw there was not related pending changes. I'll have to revert those) R16 r1859874 > OWASP sanitizer breaks proper rendering of HTML code > > > Key: OFBIZ-10187 > URL: https://issues.apache.org/jira/browse/OFBIZ-10187 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Trunk, 16.11.04, Release Branch 17.12, Release Branch > 18.12 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Critical > Labels: backport-needed > Fix For: 17.12.01, 16.11.06, 18.12.01 > > Attachments: > OFBIZ-10187_Rewrite-CustomPermissivePolicy-matchesEithe.patch, > OFBIZ-10187_Sanitizer.patch, OFBIZ-10187_Sanitizer_16.11.patch, > OFBIZ-10187_Sanitizer_New.patch > > > The current implementation of the sanitizer breaks the proper rendering of > html code. In our case, class attributes are stripped from the html content. > Example: > {code:java} > > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg" > alt="" /> > > > Lorem ipsum dolor sit amet > At vero eos et accusam et justo > > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > > href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen > > > {code} > will be rendered to > {code:java} > > src="<@ofbizContentUrl>/webcontent/img/slider/1.jpg" > alt="" /> > > > Lorem ipsum dolor sit amet > At vero eos et accusam et justo > > Lorem ipsum dolor sit amet, consetetur > sadipscing elitr, dolores et ea rebum. Stet clita kasd gubergren, no sea > takimata sanctus est Lorem ipsum dolor sit amet. > > href="<@ofbizUrl>cms/~webpage_id=100">weitere Informationen > > > {code} > I do not see any reason to not allow class attributes in html code. There > might be other problems with these rules but this is a showstopper. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11056) Fix duplicate entry in paramWithSuffix
Samuel Trégouët created OFBIZ-11056: --- Summary: Fix duplicate entry in paramWithSuffix Key: OFBIZ-11056 URL: https://issues.apache.org/jira/browse/OFBIZ-11056 Project: OFBiz Issue Type: Bug Reporter: Samuel Trégouët when using string-list-suffix attribute for service definition, invoke method (from associated event handler) will try to parse parameters from both request variable and rawParameterMap which was also built from request. So we end up with duplicates in resulting list. This behaviour seems to be introduced with OFBIZ-5048. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10953) have CurrencyDimension have a dimensionId that is based on the natural key
[ https://issues.apache.org/jira/browse/OFBIZ-10953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-10953: - Issue Type: Improvement (was: Bug) > have CurrencyDimension have a dimensionId that is based on the natural key > -- > > Key: OFBIZ-10953 > URL: https://issues.apache.org/jira/browse/OFBIZ-10953 > Project: OFBiz > Issue Type: Improvement > Components: bi >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: CurrencyDimension, birt, currency, dimension, dwh > Attachments: OFBIZ-10953-BI.patch > > > Currently the record sequencer (delegator.getNextSeqId) is used to determine > the dimensionId for the CurrencyDimension. This is unnecessary as the uomId > from the UOM table can be used for currency. > It also makes it easier to set the foreign-key in fact tables by generating > it based on the date provided, than by retrieving the dimensionId based on a > retrieval through the getDimensionIdFromNaturalKey service. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11055) Have a Project Dimension
[ https://issues.apache.org/jira/browse/OFBIZ-11055?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11055: - Attachment: OFBIZ-11055-Project.patch > Have a Project Dimension > > > Key: OFBIZ-11055 > URL: https://issues.apache.org/jira/browse/OFBIZ-11055 > Project: OFBiz > Issue Type: Improvement > Components: bi >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Pierre Smits >Priority: Major > Labels: ProjectDimension, birt, dimension, dwh > Attachments: OFBIZ-11055-Project.patch > > > The component would benefit from a project dimension for future fact tables > and star schema view entities. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11055) Have a Project Dimension
Pierre Smits created OFBIZ-11055: Summary: Have a Project Dimension Key: OFBIZ-11055 URL: https://issues.apache.org/jira/browse/OFBIZ-11055 Project: OFBiz Issue Type: Improvement Components: bi Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 Reporter: Pierre Smits The component would benefit from a project dimension for future fact tables and star schema view entities. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11054) Have an Organisation Dimension
[ https://issues.apache.org/jira/browse/OFBIZ-11054?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11054: - Attachment: OFBIZ-11054-Organnisation.patch > Have an Organisation Dimension > -- > > Key: OFBIZ-11054 > URL: https://issues.apache.org/jira/browse/OFBIZ-11054 > Project: OFBiz > Issue Type: Improvement > Components: bi >Affects Versions: Release Branch 17.12, Release Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: OrganisationDimension, birt, dimension, dwh > Attachments: OFBIZ-11054-Organnisation.patch > > > The component would benefit from an organisation dimension for future fact > tables and star schema view entities. This dimension captures the attributes > of the internal (accounting) parties. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (OFBIZ-11054) Have an Organisation Dimension
Pierre Smits created OFBIZ-11054: Summary: Have an Organisation Dimension Key: OFBIZ-11054 URL: https://issues.apache.org/jira/browse/OFBIZ-11054 Project: OFBiz Issue Type: Improvement Components: bi Affects Versions: Release Branch 17.12, Release Branch 18.12 Reporter: Pierre Smits Assignee: Pierre Smits The component would benefit from an organisation dimension for future fact tables and star schema view entities. This dimension captures the attributes of the internal (accounting) parties. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-5254) Services allow arbitrary HTML for parameters with allow-html set to "safe"
[ https://issues.apache.org/jira/browse/OFBIZ-5254?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-5254: --- Sprint: OFBiz Community Day (May 2019) > Services allow arbitrary HTML for parameters with allow-html set to "safe" > -- > > Key: OFBIZ-5254 > URL: https://issues.apache.org/jira/browse/OFBIZ-5254 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Christoph Neuroth >Assignee: Jacques Le Roux >Priority: Critical > Labels: security > Attachments: OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, > OFBIZ-5254.patch, OFBIZ-5254.patch, OFBIZ-5254.patch, UtilCodec.java > > > For any given service with allow-html=safe parameters, the parameter data is > not properly validated. See Model.Service.java:588: > {code} > > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > {code} > Looking at that method: > {code} > public static String checkStringForHtmlSafeOnly(String valueName, String > value, List errorMessageList) { > ValidationErrorList vel = new ValidationErrorList(); > value = defaultWebValidator.getValidSafeHTML(valueName, value, > Integer.MAX_VALUE, true, vel); > errorMessageList.addAll(UtilGenerics.checkList(vel.errors(), > String.class)); > return value; > } > {code} > you can see that it expects the defaultWebValidator.getValidSafeHTML would > add all validation errors to the given ValidationErrorList, but if you look > at the implementation of ESAPI that is not the case. First, consider the > overloaded getValidSafeHTML that takes the ValidationErrorList: > {code}public String getValidSafeHTML(String context, String input, > int maxLength, boolean allowNull, ValidationErrorList errors) throws > IntrusionException { > try { > return getValidSafeHTML(context, input, maxLength, > allowNull); > } catch (ValidationException e) { > errors.addError(context, e); > } > return input; > } > {code} > Then, step into that method to see that ValidationExceptions are only thrown > for things like exceeding the maximum length - not for policy violations that > can be "cleaned", such as tags that are not allowed by the policy: > {code} > AntiSamy as = new AntiSamy(); > CleanResults test = as.scan(input, antiSamyPolicy); > List errors = test.getErrorMessages(); > if ( errors.size() > 0 ) { > // just create new exception to get it logged > and intrusion detected > new ValidationException( "Invalid HTML input: > context=" + context, "Invalid HTML input: context=" + context + ", errors=" + > errors, context ); > } > {code} > I guess that is an expected, although maybe not clearly documented behavior > of ESAPI: Non-cleanable violations throw the exception and therefore will > fail the ofbiz service, while non-allowed tags are cleaned. However, if you > consider ModelService:588 and following lines again: > {code} > StringUtil.checkStringForHtmlSafeOnly(modelParam.name, value, > errorMessageList); > //(...) > if (errorMessageList.size() > 0) { > throw new ServiceValidationException(errorMessageList, this, > mode); > } > {code} > the cleaned return value is ignored. Therefore, you will see an > "IntrusionDetection" in the logs, giving you a false sense of security but > the unfiltered HTML will still go into the service. So, if you want the > service to fail if non-allowed HTML is encountered, you should use > isValidSafeHTML instead. If you want the incoming HTML to be filtered, you > should use the return value of getValidSafeHTML. > Some additional notes on this: > * When changing this, it should be properly documented as users may well be > relying on this behavior - for example, we send full HTML mails to our > customers for their ecommerce purchases and require HTML to go through - so > maybe for services like the communicationEvents allowing only safe HTML might > not be desired. > * The ESAPI code samples above are from version 1.4.4. I was really surprised > to find a JAR that is not only outdated, but patched and built by a third > party, without even indicating that in the filename in OfBiz trunk. This has > been there for years (see OFBIZ-3135) and should really be replaced with an > official, up to date version since that issue was fixed upstream years ago. -- This message was sent by Atlassian
[jira] [Commented] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847378#comment-16847378 ] Swapnil M Mane commented on OFBIZ-10145: +1 to commit, I have tested both the scripts on trunk and release17. Everything is working as expected for me. Thank you [~soledad] for your work and everyone for your comments. [~soledad] Just a small improvement, since now we are removing the corrupt archive, we should change the message from {code} echo "\nThe gradle-5.0-bin.zip file is corrupted.\nPlease remove this file from $OFBIZ_HOME/runtime/tmp location and run the script again." {code} to {code} echo "\nThe gradle-5.0-bin.zip file was corrupted thus it is removed from $OFBIZ_HOME/runtime/tmp location.\nNow please run the script again." {code} > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-10145: -- Attachment: init-gradle-wrapper.sh > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nicolas Malin updated OFBIZ-10145: -- Attachment: init-gradle-wrapper-trunk-and-18.sh > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper-trunk-and-18.sh, init-gradle-wrapper.sh, > init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847350#comment-16847350 ] Nicolas Malin commented on OFBIZ-10145: --- HI [~swapnilmmane] nice return :) {quote} So, to fix this, I removed the -b option from whereis command in script. After this everything works like charm for me. {quote} The risk is that you have only documentation or configuration. in this case {code} whereIsBinary() { whereis $1 | grep / } {code} return not empty string {code} whereIsBinary() { whereis -b $1 | grep / } {code} return empty string. But it's a problem if you haven't it under Mac ... I added your suggest on the script with a delete of corrupt archive before [^init-gradle-wrapper-trunk-and-18.sh] if it's ok for you we can commit this on trunk, release18 and release17 > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847347#comment-16847347 ] Jacques Le Roux commented on OFBIZ-10678: - Fortunately results from retire for trunk and branches compare not too badly. > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > -- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, > Release Branch 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Labels: Javascript, retire.js, vulnerabilities > > 3 years ago I created the page > https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js > After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and > here are the results: > h3. Trunk > {code} > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: > 20184, summary: XSS in data-target property of scrollspy, CVE: > CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: > medium; issue: 20184, s > ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.co > m/twbs/bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, > summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: > XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.com/twbs/ > bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: > CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; > http://bugs.jquery.com/ticket/11290 > https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu > relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party > CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https:// > nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and- > 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847344#comment-16847344 ] Jacques Le Roux commented on OFBIZ-10678: - We should not forget that we need to change the path to images in jQuery css files. BTW I need also to rename then with a "custom" inside name. I begin to wonder if having jQuery files in theme is a good idea. Also we should try to have only one version for all framework and plugins. > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > -- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, > Release Branch 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Labels: Javascript, retire.js, vulnerabilities > > 3 years ago I created the page > https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js > After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and > here are the results: > h3. Trunk > {code} > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: > 20184, summary: XSS in data-target property of scrollspy, CVE: > CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: > medium; issue: 20184, s > ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.co > m/twbs/bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, > summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: > XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.com/twbs/ > bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: > CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; > http://bugs.jquery.com/ticket/11290 > https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu > relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party > CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https:// > nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; >
[jira] [Comment Edited] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847341#comment-16847341 ] Jacques Le Roux edited comment on OFBIZ-10678 at 5/24/19 8:20 AM: -- I guess I'll work on trunk and try to backport... h3. Trunk today {noformat} Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json Loading from cache: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js ? bootstrap 4.0.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twbs/bootstrap/issues/28236 seve rity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2 018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE-2018-14042; https://github.com/twbs/bootstrap/issues/20184 C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https:// nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {} , ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 severit y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/ angular/angular.js/blob/master/CHANGELOG.md https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d9 4 C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 severit y: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; https://github.com/ angular/angular.js/blob/master/CHANGELOG.md https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS in $sanitize in Safari/Firefox; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d9 4 C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.com/2016/01/08/jquery-2-2-and- 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML() executes scripts in event handlers; https://bugs.jquery. com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandl es jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847341#comment-16847341 ] Jacques Le Roux commented on OFBIZ-10678: - I guess I'll work on trunk and try to backport... > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > -- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, > Release Branch 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Labels: Javascript, retire.js, vulnerabilities > > 3 years ago I created the page > https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js > After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and > here are the results: > h3. Trunk > {code} > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: > 20184, summary: XSS in data-target property of scrollspy, CVE: > CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: > medium; issue: 20184, s > ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.co > m/twbs/bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, > summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: > XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.com/twbs/ > bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: > CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; > http://bugs.jquery.com/ticket/11290 > https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu > relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party > CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https:// > nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and- > 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: >
[jira] [Commented] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16847339#comment-16847339 ] Jacques Le Roux commented on OFBIZ-10678: - h3. R18 {noformat} C:\projectsASF\release18.12>retire Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json ... Downloading https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/npmrepository.json ... C:\projectsASF\release18.12\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js ? bootstrap 4.0.0 has known vulnerabilities: severity: high; issue: 28236, summary: XSS in data-template, data-content and data-title properties of tooltip/popover, CVE: CVE-2019-8331; https://github.com/twb s/bootstrap/issues/28236 severity: medium; issue: 20184, summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: 20184, summary: XSS in data-container property of tooltip, CVE: CVE -2018-14042; https://github.com/twbs/bootstrap/issues/20184 C:\projectsASF\release18.12\plugins\solr\webapp\solr\js\require.js ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; http://bugs.jquery.com/ticket/11290 https://nvd.nist.gov/vuln/detail/CVE-201 2-6708 http://research.insecurelabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jq uery.com/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ https://nvd.nist. gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b C:\projectsASF\release18.12\plugins\solr\webapp\solr\libs\angular.js ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severi ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS in $sanitize in Safari/Firefo x; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 C:\projectsASF\release18.12\plugins\solr\webapp\solr\libs\angular.min.js ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The attribute usemap can be used as a security exploit; https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-re surrection-2016-07-21 severity: medium; summary: Universal CSP bypass via add-on in Firefox; https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 http://pastebin.com/raw/kGrdaypP severi ty: medium; summary: DOS in $sanitize; https://github.com/angular/angular.js/blob/master/CHANGELOG.md https://github.com/angular/angular.js/pull/15699 severity: low; summary: XSS in $sanitize in Safari/Firefo x; https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 C:\projectsASF\release18.12\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; https://github.com/jquery/jquery/issues/2432 http://blog.jquery.c om/2016/01/08/jquery-2-2-and-1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: CVE-2015-9251, issue: 11974, summary: parseHTML( ) executes scripts in event handlers; https://bugs.jquery.com/ticket/11974 https://nvd.nist.gov/vuln/detail/CVE-2015-9251 http://research.insecurelabs.org/jquery/test/ severity: low; CVE: CVE-2019-11358, summ ary: jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution; https://blog.jquery.com/2019/04/10/jquery-3-4-0-re leased/ https://nvd.nist.gov/vuln/detail/CVE-2019-11358 https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
[jira] [Updated] (OFBIZ-10678) CLONE - Check embedded Javascript libs vulnerabilities using retire.js
[ https://issues.apache.org/jira/browse/OFBIZ-10678?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10678: Affects Version/s: Release Branch 18.12 > CLONE - Check embedded Javascript libs vulnerabilities using retire.js > -- > > Key: OFBIZ-10678 > URL: https://issues.apache.org/jira/browse/OFBIZ-10678 > Project: OFBiz > Issue Type: Sub-task > Components: ALL COMPONENTS >Affects Versions: Trunk, Release Branch 16.11, Release Branch 17.12, > Release Branch 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Labels: Javascript, retire.js, vulnerabilities > > 3 years ago I created the page > https://cwiki.apache.org/confluence/display/OFBIZ/About+retire.js > After OFBIZ-9269 (done 1 year ago) that I cloned here, I just checked and > here are the results: > h3. Trunk > {code} > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.bundle.min.js > ? bootstrap 4.0.0-beta.2 has known vulnerabilities: severity: medium; issue: > 20184, summary: XSS in data-target property of scrollspy, CVE: > CVE-2018-14041; https://github.com/twbs/bootstrap/issues/20184 severity: > medium; issue: 20184, s > ummary: XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.co > m/twbs/bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\ecommerce\webapp\ecommerce\js\bootstrap.min.js > ? bootstrap 4.0.0 has known vulnerabilities: severity: medium; issue: 20184, > summary: XSS in data-target property of scrollspy, CVE: CVE-2018-14041; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: > XSS in collapse data-parent attribute, CVE: CVE-2018-14040; > https://github.com/twbs/bootstrap/issues/20184 severity: medium; issue: > 20184, summary: XSS in data-container property of tooltip, CVE: > CVE-2018-14042; https://github.com/twbs/ > bootstrap/issues/20184 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\js\require.js > ? jquery 1.7.1 has known vulnerabilities: severity: medium; CVE: > CVE-2012-6708, bug: 11290, summary: Selector interpreted as HTML; > http://bugs.jquery.com/ticket/11290 > https://nvd.nist.gov/vuln/detail/CVE-2012-6708 http://research.insecu > relabs.org/jquery/test/ severity: medium; issue: 2432, summary: 3rd party > CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/ https:// > nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\angular.min.js > ? angularjs 1.3.8 has known vulnerabilities: severity: medium; summary: The > attribute usemap can be used as a security exploit; > https://github.com/angular/angular.js/blob/master/CHANGELOG.md#1230-patronal-resurrection-2016-07-21 > severit > y: medium; summary: Universal CSP bypass via add-on in Firefox; > https://github.com/mozilla/addons-linter/issues/1000#issuecomment-282083435 > http://pastebin.com/raw/kGrdaypP severity: medium; summary: DOS in $sanitize; > https://github.com/ > angular/angular.js/blob/master/CHANGELOG.md severity: low; summary: XSS in > $sanitize in Safari/Firefox; > https://github.com/angular/angular.js/commit/8f31f1ff43b673a24f84422d5c13d6312b2c4d94 > C:\projectsASF\ofbiz\plugins\solr\webapp\solr\libs\jquery-2.1.3.min.js > ? jquery 2.1.3.min has known vulnerabilities: severity: medium; issue: 2432, > summary: 3rd party CORS request may execute, CVE: CVE-2015-9251; > https://github.com/jquery/jquery/issues/2432 > http://blog.jquery.com/2016/01/08/jquery-2-2-and- > 1-12-released/ https://nvd.nist.gov/vuln/detail/CVE-2015-9251 > http://research.insecurelabs.org/jquery/test/ severity: medium; CVE: > CVE-2015-9251, issue: 11974, summary:
[jira] [Updated] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-10145: Sprint: OFBiz Community Day (May 2019) > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (OFBIZ-10145) Remove the Gradle wrapper from our release packages and add a step to our build notes
[ https://issues.apache.org/jira/browse/OFBIZ-10145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux reassigned OFBIZ-10145: --- Assignee: Nicolas Malin (was: Jacques Le Roux) > Remove the Gradle wrapper from our release packages and add a step to our > build notes > - > > Key: OFBIZ-10145 > URL: https://issues.apache.org/jira/browse/OFBIZ-10145 > Project: OFBiz > Issue Type: Task > Components: Gradle >Affects Versions: 17.12.01, 16.11.06, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Nicolas Malin >Priority: Blocker > Fix For: 17.12.01 > > Attachments: init-gradle-wrapper-trunk-and-18.sh, > init-gradle-wrapper.sh, init-gradle-wrapper.sh > > > Following the discussion at http://markmail.org/message/nd7grfiyobjkfwae, > considering LEGAL-288 and based on a lazy consensus on dev ML, we want to > remove the gradle-wrapper.jar file from the next packaged releases and use > [~jacopoc]'s related proposition to document how to have Gradle working in > the main README.md file. > # Extract the archive file to your local directory. > # Download gradle-wrapper.jar and place it in the > OFBiz-root-dir/gradle/wrapper folder. > I'm not sure if we should recommend a link to download the > gradle-wrapper.jar. This might change in the future (versions, etc.), so > indeed maybe simply asking to download is enough, cf > https://www.google.com/search?q=gradle-wrapper.jar+download=UTF-8 > Also we need to add a point about removing gradle-wrapper.jar in > https://cwiki.apache.org/confluence/display/OFBIZ/Release+Management+Guide+for+OFBiz -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11051) Have a TimeEntryFact entity
[ https://issues.apache.org/jira/browse/OFBIZ-11051?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11051: - Description: Every organisation that has the requirement that its staff does time registrations, will benefit from Business Intelligence on time registrations. As OFBiz has such functionality (whether that is through the Project component, the Scrum component, or otherwise) in play. was: Every organisation that engages in or has the requirement that its staff does time registrations, will profit from Business Intelligence on time registrations. As OFBiz has such functionality (whether that is through the Project component, the Scrum component, or otherwise) in play. > Have a TimeEntryFact entity > --- > > Key: OFBIZ-11051 > URL: https://issues.apache.org/jira/browse/OFBIZ-11051 > Project: OFBiz > Issue Type: Improvement > Components: bi >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: Fact, TimeEntry, TimeEntryFact, birt, dwh, timesheet > > Every organisation that has the requirement that its staff does time > registrations, will benefit from Business Intelligence on time registrations. > As OFBiz has such functionality (whether that is through the Project > component, the Scrum component, or otherwise) in play. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11051) Have a TimeEntryFact entity
[ https://issues.apache.org/jira/browse/OFBIZ-11051?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11051: - Description: Every organisation that engages in or has the requirement that its staff does time registrations, will profit from Business Intelligence on time registrations. As OFBiz has such functionality (whether that is through the Project component, the Scrum component, or otherwise) in play. was:Have a TimeEntryFact entity > Have a TimeEntryFact entity > --- > > Key: OFBIZ-11051 > URL: https://issues.apache.org/jira/browse/OFBIZ-11051 > Project: OFBiz > Issue Type: Improvement > Components: bi >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: Fact, TimeEntry, TimeEntryFact, birt, dwh, timesheet > > Every organisation that engages in or has the requirement that its staff does > time registrations, will profit from Business Intelligence on time > registrations. > As OFBiz has such functionality (whether that is through the Project > component, the Scrum component, or otherwise) in play. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-11053) Have a service to load records in the TimeEntryFact entity
[ https://issues.apache.org/jira/browse/OFBIZ-11053?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pierre Smits updated OFBIZ-11053: - Labels: Fact TimeEntry TimeEntryFact birt dwh service timesheet (was: Fact TimeEntry TimeEntryFact birt dimension dwh service timesheet) > Have a service to load records in the TimeEntryFact entity > -- > > Key: OFBIZ-11053 > URL: https://issues.apache.org/jira/browse/OFBIZ-11053 > Project: OFBiz > Issue Type: Improvement > Components: bi >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Pierre Smits >Assignee: Pierre Smits >Priority: Major > Labels: Fact, TimeEntry, TimeEntryFact, birt, dwh, service, > timesheet > > Have a service that populates the TimeEntryFact entity. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (OFBIZ-10978) Unable to find any product in Quick Add functionality
[ https://issues.apache.org/jira/browse/OFBIZ-10978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Suraj Khurana updated OFBIZ-10978: -- Sprint: OFBiz Community Day (May 2019) > Unable to find any product in Quick Add functionality > - > > Key: OFBIZ-10978 > URL: https://issues.apache.org/jira/browse/OFBIZ-10978 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Padmavati Rawat >Assignee: Suraj Khurana >Priority: Major > Attachments: OFBIZ-10978.patch, Quikadd.png > > > Steps: > 1. Visit the e-commerce page of the trunk. > 2. Open Quick Add menu from navbar section. > https://demo-trunk.ofbiz.apache.org/ecommerce/control/quickadd > 3. Check the Product list on the screen. > Actual: > Quick Add screen rendering an error "Error: Product not found" on the screen. > Not able to find any option to Quick Add. > Please, refer screenshot: -- This message was sent by Atlassian JIRA (v7.6.3#76005)