[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17037272#comment-17037272 ] Jacques Le Roux commented on OFBIZ-11306: - Yes, please do > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, > CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a > "time out"). > They are stored in the user sessions (for AJAX calls and unauthenticated HTTP > calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during > POST request. > # In *controllers* a new csrf-token attribute is added to the security tag to > exempt or force CSRF token check. > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the > change. Using <@ofbizUrl> macro to generate the CSRF token means there is no > need to manually add the CSRF token field to each form in the ftl files. It > will save time for users doing custom implementation and maintenance. While > there is CSRF token in the form URL, the token is invalidated during form > submission. So it's uniqueand harmless even though the CSRF token of the form > submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added > through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This token > will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user logs > out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token > check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF > token check. (Note there are discussions that RequestMap with ‘all’ method > should also not be subjected to CSRF token check. This will be done after > ensuring a separate uri is used when posting changes.) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the > general rules above. > To implement: > * -Allow token map size to be configurable in properties.- OK that's done > locally > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run inside > the constructor of RequestMap class) when determining the final > securityCsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17037093#comment-17037093
]
James Yong commented on OFBIZ-11306:
Hi Jacques,
Thanks. Will look into this tomorrow if you haven't.
{code:java}
if (search) {
list = "$list?search=$search"
main = "$main?search=$search"
} else if (forstatic) {
list = "$list?forstatic=$forstatic"
main = "$main?forstatic=$forstatic"
}
{code}
> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java,
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a
> "time out").
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to
> exempt or force CSRF token check.
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no
> need to manually add the CSRF token field to each form in the ftl files. It
> will save time for users doing custom implementation and maintenance. While
> there is CSRF token in the form URL, the token is invalidated during form
> submission. So it's uniqueand harmless even though the CSRF token of the form
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF
> token check. (Note there are discussions that RequestMap with ‘all’ method
> should also not be subjected to CSRF token check. This will be done after
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside
> the constructor of RequestMap class) when determining the final
> securityCsrfToken value.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-11306) POC for CSRF Token
[
https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17037001#comment-17037001
]
Jacques Le Roux commented on OFBIZ-11306:
-
HI James,
Good news about getRequestUri: if you remember I added this change while trying
to cope with the "REST" issue
{code:java}
if (1 < StringUtils.countMatches(path, "/")) {
return pathInfo.get(0) + "/" + pathInfo.get(1);
} else {
return pathInfo.get(0);
}
{code}
I mechanically added it again while working on the same. It turns out that it's
no longer needed. My other changes are enough. So no problem with the test with
this patch updated w/o this specific change: [^OFBIZ-11306-alternative.patch]
I'll now look at Entity Reference links and sequel.
> POC for CSRF Token
> --
>
> Key: OFBIZ-11306
> URL: https://issues.apache.org/jira/browse/OFBIZ-11306
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL APPLICATIONS
>Affects Versions: Upcoming Branch
>Reporter: James Yong
>Assignee: Jacques Le Roux
>Priority: Minor
> Labels: CSRF
> Fix For: Upcoming Branch
>
> Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java,
> CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch,
> OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch,
> OFBIZ-11306_Plugins.patch
>
>
> CRSF tokens are generated using SecureRandom class (maybe later a JWT with a
> "time out").
> They are stored in the user sessions (for AJAX calls and unauthenticated HTTP
> calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during
> POST request.
> # In *controllers* a new csrf-token attribute is added to the security tag to
> exempt or force CSRF token check.
> # In *Widget Forms* a hidden token field is auto-generated.
> # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the
> change. Using <@ofbizUrl> macro to generate the CSRF token means there is no
> need to manually add the CSRF token field to each form in the ftl files. It
> will save time for users doing custom implementation and maintenance. While
> there is CSRF token in the form URL, the token is invalidated during form
> submission. So it's uniqueand harmless even though the CSRF token of the form
> submission is shown in the browser address bar.
> # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added
> through OfbizUtil.js (itself called at start in decorators and such)
> # The html metadata is storing the csrf token used by JQuery AJAX. This token
> will not change to another value after it is consumed
> # Csrf tokens for the user are removed from the UtilCache when the user logs
> out or session invalidated.
> The general rule are as follows:
> * RequestMap configured with 'get' method will be exempted from CSRF token
> check.
> * RequestMap configured with 'post' or 'all' method will be subjected to CSRF
> token check. (Note there are discussions that RequestMap with ‘all’ method
> should also not be subjected to CSRF token check. This will be done after
> ensuring a separate uri is used when posting changes.)
> * "main" request URIs are exempted from CSRF token check.
> * Setting csrf-token to false or true on the Request Map will override the
> general rules above.
> To implement:
> * -Allow token map size to be configurable in properties.- OK that's done
> locally
> To Discuss:
> * Invalidate authenticated user session when CSRF token check fails.
> * Configure the general rules in a Service method (which will be run inside
> the constructor of RequestMap class) when determining the final
> securityCsrfToken value.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-11306) POC for CSRF Token
[ https://issues.apache.org/jira/browse/OFBIZ-11306?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11306: Attachment: OFBIZ-11306-alternative.patch > POC for CSRF Token > -- > > Key: OFBIZ-11306 > URL: https://issues.apache.org/jira/browse/OFBIZ-11306 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS >Affects Versions: Upcoming Branch >Reporter: James Yong >Assignee: Jacques Le Roux >Priority: Minor > Labels: CSRF > Fix For: Upcoming Branch > > Attachments: CsrfTokenAjaxTransform.java, CsrfTokenTransform.java, > CsrfUtil.java, OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-alternative.patch, OFBIZ-11306-alternative.patch, > OFBIZ-11306-v2.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306.patch, OFBIZ-11306.patch, OFBIZ-11306.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch, OFBIZ-11306_Plugins.patch, > OFBIZ-11306_Plugins.patch > > > CRSF tokens are generated using SecureRandom class (maybe later a JWT with a > "time out"). > They are stored in the user sessions (for AJAX calls and unauthenticated HTTP > calls) or OFBiz UtilCache (for authenticated HTTP calls), and verified during > POST request. > # In *controllers* a new csrf-token attribute is added to the security tag to > exempt or force CSRF token check. > # In *Widget Forms* a hidden token field is auto-generated. > # In *FTL form* a CSRF token is passed through <@ofbizUrl> to automatise the > change. Using <@ofbizUrl> macro to generate the CSRF token means there is no > need to manually add the CSRF token field to each form in the ftl files. It > will save time for users doing custom implementation and maintenance. While > there is CSRF token in the form URL, the token is invalidated during form > submission. So it's uniqueand harmless even though the CSRF token of the form > submission is shown in the browser address bar. > # For *Ajax calls* an ajaxPrefilter function (observer on DOM ready) is added > through OfbizUtil.js (itself called at start in decorators and such) > # The html metadata is storing the csrf token used by JQuery AJAX. This token > will not change to another value after it is consumed > # Csrf tokens for the user are removed from the UtilCache when the user logs > out or session invalidated. > The general rule are as follows: > * RequestMap configured with 'get' method will be exempted from CSRF token > check. > * RequestMap configured with 'post' or 'all' method will be subjected to CSRF > token check. (Note there are discussions that RequestMap with ‘all’ method > should also not be subjected to CSRF token check. This will be done after > ensuring a separate uri is used when posting changes.) > * "main" request URIs are exempted from CSRF token check. > * Setting csrf-token to false or true on the Request Map will override the > general rules above. > To implement: > * -Allow token map size to be configurable in properties.- OK that's done > locally > To Discuss: > * Invalidate authenticated user session when CSRF token check fails. > * Configure the general rules in a Service method (which will be run inside > the constructor of RequestMap class) when determining the final > securityCsrfToken value. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11343) External Server Picture OK in product Catalog but not in eCommerce/econseo
[ https://issues.apache.org/jira/browse/OFBIZ-11343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036900#comment-17036900 ] Jacques Le Roux commented on OFBIZ-11343: - Thanks for the feedback Jean-Yves > External Server Picture OK in product Catalog but not in eCommerce/econseo > -- > > Key: OFBIZ-11343 > URL: https://issues.apache.org/jira/browse/OFBIZ-11343 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, 17.12.01, Release Branch 16.11, 16.11.07, > 16.11.08, Release Branch 17.12, Release Branch 18.12, 18.12.01 > Environment: Ofbiz : Version SVN At revision 1873844. > Ubuntu 18.04.4 LTS (Virtual Machine) > openjdk version "11.0.6" 2020-01-14 > OpenJDK Runtime Environment (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1) > OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1, mixed > mode, sharing) >Reporter: Jean-Yves Landry >Assignee: Michael Brohl >Priority: Minor > Labels: images > Attachments: Screen Shot 2020-02-12 at 09.12.29.png, Screen Shot > 2020-02-12 at 09.13.04.png, image-2020-02-10-01-12-27-323.png > > > In Catalog, we can use an URL referring to a picture stored on a foreign WEB > Server and it seems to work just fine. > EX: product -> content -> Override simple field -> Small Image > [http://192.168.202.246/bibb.png] > !image-2020-02-10-01-12-27-323.png! > > However, in "eCommerce" or "ecomseo", the picture does not display. > Instead of a valid URL, the system reference: > [https://192.168.202.246:8443/ecomseo/product/http%3A%2F%2F192.168.202.246%2Fbibb.png] > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11343) External Server Picture OK in product Catalog but not in eCommerce/econseo
[ https://issues.apache.org/jira/browse/OFBIZ-11343?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036882#comment-17036882 ] Jean-Yves Landry commented on OFBIZ-11343: -- I verified and I can use the functionality highlighted by Jacques. > External Server Picture OK in product Catalog but not in eCommerce/econseo > -- > > Key: OFBIZ-11343 > URL: https://issues.apache.org/jira/browse/OFBIZ-11343 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, 17.12.01, Release Branch 16.11, 16.11.07, > 16.11.08, Release Branch 17.12, Release Branch 18.12, 18.12.01 > Environment: Ofbiz : Version SVN At revision 1873844. > Ubuntu 18.04.4 LTS (Virtual Machine) > openjdk version "11.0.6" 2020-01-14 > OpenJDK Runtime Environment (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1) > OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1, mixed > mode, sharing) >Reporter: Jean-Yves Landry >Assignee: Michael Brohl >Priority: Minor > Labels: images > Attachments: Screen Shot 2020-02-12 at 09.12.29.png, Screen Shot > 2020-02-12 at 09.13.04.png, image-2020-02-10-01-12-27-323.png > > > In Catalog, we can use an URL referring to a picture stored on a foreign WEB > Server and it seems to work just fine. > EX: product -> content -> Override simple field -> Small Image > [http://192.168.202.246/bibb.png] > !image-2020-02-10-01-12-27-323.png! > > However, in "eCommerce" or "ecomseo", the picture does not display. > Instead of a valid URL, the system reference: > [https://192.168.202.246:8443/ecomseo/product/http%3A%2F%2F192.168.202.246%2Fbibb.png] > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-11343) External Server Picture OK in product Catalog but not in eCommerce/econseo
[ https://issues.apache.org/jira/browse/OFBIZ-11343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jean-Yves Landry closed OFBIZ-11343. Resolution: Not A Problem > External Server Picture OK in product Catalog but not in eCommerce/econseo > -- > > Key: OFBIZ-11343 > URL: https://issues.apache.org/jira/browse/OFBIZ-11343 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, 17.12.01, Release Branch 16.11, 16.11.07, > 16.11.08, Release Branch 17.12, Release Branch 18.12, 18.12.01 > Environment: Ofbiz : Version SVN At revision 1873844. > Ubuntu 18.04.4 LTS (Virtual Machine) > openjdk version "11.0.6" 2020-01-14 > OpenJDK Runtime Environment (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1) > OpenJDK 64-Bit Server VM (build 11.0.6+10-post-Ubuntu-1ubuntu118.04.1, mixed > mode, sharing) >Reporter: Jean-Yves Landry >Assignee: Michael Brohl >Priority: Minor > Labels: images > Attachments: Screen Shot 2020-02-12 at 09.12.29.png, Screen Shot > 2020-02-12 at 09.13.04.png, image-2020-02-10-01-12-27-323.png > > > In Catalog, we can use an URL referring to a picture stored on a foreign WEB > Server and it seems to work just fine. > EX: product -> content -> Override simple field -> Small Image > [http://192.168.202.246/bibb.png] > !image-2020-02-10-01-12-27-323.png! > > However, in "eCommerce" or "ecomseo", the picture does not display. > Instead of a valid URL, the system reference: > [https://192.168.202.246:8443/ecomseo/product/http%3A%2F%2F192.168.202.246%2Fbibb.png] > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11158) Enhance the Programmable Export feature for EntityQuery support
[
https://issues.apache.org/jira/browse/OFBIZ-11158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036849#comment-17036849
]
Nicolas Malin commented on OFBIZ-11158:
---
Peraphs we can write for the example :
{code:java}
if (product) {
recordValues << product
}{code}
> Enhance the Programmable Export feature for EntityQuery support
> ---
>
> Key: OFBIZ-11158
> URL: https://issues.apache.org/jira/browse/OFBIZ-11158
> Project: OFBiz
> Issue Type: Improvement
> Components: framework/webtools
>Affects Versions: Trunk
>Reporter: Devanshu Vyas
>Assignee: Pawan Verma
>Priority: Minor
> Attachments: OFBIZ-11158.patch, OFBIZ-11158.patch
>
>
> I recently used the Programmable Export feature in Webtools application and I
> thought that this feature can be extended to use the *EntityQuery* for data
> fetching. Nowadays, EntityQuery usage to perform data fetching is increasing.
> This will be a rather simple enhancement as the Groovy supports EntityQuery
> internally.
> Along with this, I also felt that the output of the feature should also be
> available in *JSON* format.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-5426) mysql: ERROR 1071 (42000): Specified key was too long; max key length is 767 bytes
[ https://issues.apache.org/jira/browse/OFBIZ-5426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036838#comment-17036838 ] Pawan Verma commented on OFBIZ-5426: [^OFBIZ-5426.patch] Thanks, [~pgil] for the review. I've updated the patch. [~pierresmits], Yes, I'll create a git PR soon. > mysql: ERROR 1071 (42000): Specified key was too long; max key length is 767 > bytes > -- > > Key: OFBIZ-5426 > URL: https://issues.apache.org/jira/browse/OFBIZ-5426 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Leon >Assignee: Deepak Dixit >Priority: Major > Attachments: OFBIZ-5426.patch, OFBIZ-5426.patch, OFBIZ-5426.patch, > OFBIZ-5426.patch, OFBIZ-5426.patch > > > Due to revision 1529838, the length of data type "email" was increased from > 254 to 320. But It makes the ofbiz failed to create tables such as > "PRODUCT_PROMO_CODE_EMAIL" which includes an email fields as its primary key. > The database is mysql, innodb engine and utf8 charset. The error msg: > ERROR 1071 (42000): Specified key was too long; max key length is 767 bytes. > I suggest to revert change of r1529838. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-11353) Temporarily comment out the "stream" request-map in commonext controller.xml for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-11353. --- Fix Version/s: Release Branch 18.12 Upcoming Branch 17.12.01 Assignee: Jacques Le Roux Resolution: Fixed > Temporarily comment out the "stream" request-map in commonext controller.xml > for security reason > > > Key: OFBIZ-11353 > URL: https://issues.apache.org/jira/browse/OFBIZ-11353 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Fix For: 17.12.01, Upcoming Branch, Release Branch 18.12 > > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in commonext controller. We > will later fix the specific issue to put back the functionnalities allowed by > the "stream" request-map in commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-5426) mysql: ERROR 1071 (42000): Specified key was too long; max key length is 767 bytes
[ https://issues.apache.org/jira/browse/OFBIZ-5426?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Pawan Verma updated OFBIZ-5426: --- Attachment: OFBIZ-5426.patch > mysql: ERROR 1071 (42000): Specified key was too long; max key length is 767 > bytes > -- > > Key: OFBIZ-5426 > URL: https://issues.apache.org/jira/browse/OFBIZ-5426 > Project: OFBiz > Issue Type: Bug > Components: framework >Affects Versions: Trunk >Reporter: Leon >Assignee: Deepak Dixit >Priority: Major > Attachments: OFBIZ-5426.patch, OFBIZ-5426.patch, OFBIZ-5426.patch, > OFBIZ-5426.patch, OFBIZ-5426.patch > > > Due to revision 1529838, the length of data type "email" was increased from > 254 to 320. But It makes the ofbiz failed to create tables such as > "PRODUCT_PROMO_CODE_EMAIL" which includes an email fields as its primary key. > The database is mysql, innodb engine and utf8 charset. The error msg: > ERROR 1071 (42000): Specified key was too long; max key length is 767 bytes. > I suggest to revert change of r1529838. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11348) Temporarily comment out the "stream" request-map in ecommerce controller for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036836#comment-17036836 ] ASF subversion and git services commented on OFBIZ-11348: - Commit 8926d686c9769c331139b7165692fb38509efe81 in ofbiz-plugins's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=8926d68 ] Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348) No functional change, simply amend the comment > Temporarily comment out the "stream" request-map in ecommerce controller for > security reason > > > Key: OFBIZ-11348 > URL: https://issues.apache.org/jira/browse/OFBIZ-11348 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Fix For: 17.12.01, Upcoming Branch, Release Branch 18.12 > > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in ecommerce controller. We > will later fix the specific issue in ecommerce to put back the > functionnalities allowed by the "stream" request-map in ecommerce controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11348) Temporarily comment out the "stream" request-map in ecommerce controller for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036835#comment-17036835 ] ASF subversion and git services commented on OFBIZ-11348: - Commit 6e7f6a44954630bd4d204e736629adbb84996e49 in ofbiz-plugins's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=6e7f6a4 ] Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348) No functional change, simply amend the comment > Temporarily comment out the "stream" request-map in ecommerce controller for > security reason > > > Key: OFBIZ-11348 > URL: https://issues.apache.org/jira/browse/OFBIZ-11348 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Fix For: 17.12.01, Upcoming Branch, Release Branch 18.12 > > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in ecommerce controller. We > will later fix the specific issue in ecommerce to put back the > functionnalities allowed by the "stream" request-map in ecommerce controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11348) Temporarily comment out the "stream" request-map in ecommerce controller for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11348?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036837#comment-17036837 ] ASF subversion and git services commented on OFBIZ-11348: - Commit c004c8f00bb5ed5f5e16a9c0470cf177e53fe6ff in ofbiz-plugins's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=c004c8f ] Improved: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11348) No functional change, simply amend the comment > Temporarily comment out the "stream" request-map in ecommerce controller for > security reason > > > Key: OFBIZ-11348 > URL: https://issues.apache.org/jira/browse/OFBIZ-11348 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Fix For: 17.12.01, Upcoming Branch, Release Branch 18.12 > > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in ecommerce controller. We > will later fix the specific issue in ecommerce to put back the > functionnalities allowed by the "stream" request-map in ecommerce controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11353) Temporarily comment out the "stream" request-map in commonext controller.xml for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036826#comment-17036826 ] ASF subversion and git services commented on OFBIZ-11353: - Commit b874a11103e686c6adce6a696862e21da11a21bd in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b874a11 ] Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353) A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11349 > Temporarily comment out the "stream" request-map in commonext controller.xml > for security reason > > > Key: OFBIZ-11353 > URL: https://issues.apache.org/jira/browse/OFBIZ-11353 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Priority: Blocker > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in commonext controller. We > will later fix the specific issue to put back the functionnalities allowed by > the "stream" request-map in commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11353) Temporarily comment out the "stream" request-map in commonext controller.xml for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036828#comment-17036828 ] ASF subversion and git services commented on OFBIZ-11353: - Commit 9db0d8f2fb2846bf218c55fb6e1e02a8730789bb in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9db0d8f ] Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353) A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11349 > Temporarily comment out the "stream" request-map in commonext controller.xml > for security reason > > > Key: OFBIZ-11353 > URL: https://issues.apache.org/jira/browse/OFBIZ-11353 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Priority: Blocker > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in commonext controller. We > will later fix the specific issue to put back the functionnalities allowed by > the "stream" request-map in commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11349) Put back the "stream" request-map in ecommerce and commonext controllers
[ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036827#comment-17036827 ] ASF subversion and git services commented on OFBIZ-11349: - Commit b874a11103e686c6adce6a696862e21da11a21bd in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b874a11 ] Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353) A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11349 > Put back the "stream" request-map in ecommerce and commonext controllers > - > > Key: OFBIZ-11349 > URL: https://issues.apache.org/jira/browse/OFBIZ-11349 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Jacques Le Roux >Priority: Major > > For security reason the "stream" request-map in ecommerce and commonext > controllers have been temporarily commented out. > This issue to fix the specific issue to put back the functionnalities allowed > by the "stream" request-map in ecommerce and commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11353) Temporarily comment out the "stream" request-map in commonext controller.xml for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11353?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036824#comment-17036824 ] ASF subversion and git services commented on OFBIZ-11353: - Commit 5684b4945362d47841e55c9f8d9abeb806a94f87 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=5684b49 ] Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353) A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11349 > Temporarily comment out the "stream" request-map in commonext controller.xml > for security reason > > > Key: OFBIZ-11353 > URL: https://issues.apache.org/jira/browse/OFBIZ-11353 > Project: OFBiz > Issue Type: Bug > Components: ALL COMPONENTS >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Priority: Blocker > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in commonext controller. We > will later fix the specific issue to put back the functionnalities allowed by > the "stream" request-map in commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11349) Put back the "stream" request-map in ecommerce and commonext controllers
[ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036825#comment-17036825 ] ASF subversion and git services commented on OFBIZ-11349: - Commit 5684b4945362d47841e55c9f8d9abeb806a94f87 in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=5684b49 ] Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353) A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11349 > Put back the "stream" request-map in ecommerce and commonext controllers > - > > Key: OFBIZ-11349 > URL: https://issues.apache.org/jira/browse/OFBIZ-11349 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Jacques Le Roux >Priority: Major > > For security reason the "stream" request-map in ecommerce and commonext > controllers have been temporarily commented out. > This issue to fix the specific issue to put back the functionnalities allowed > by the "stream" request-map in ecommerce and commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-11349) Put back the "stream" request-map in ecommerce and commonext controllers
[ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17036829#comment-17036829 ] ASF subversion and git services commented on OFBIZ-11349: - Commit 9db0d8f2fb2846bf218c55fb6e1e02a8730789bb in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9db0d8f ] Fixed: Temporarily comment out the "stream" request-map in ecommerce controller for security reason (OFBIZ-11353) A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionalities allowed by the "stream" request-map in this controller, see OFBIZ-11349 > Put back the "stream" request-map in ecommerce and commonext controllers > - > > Key: OFBIZ-11349 > URL: https://issues.apache.org/jira/browse/OFBIZ-11349 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Jacques Le Roux >Priority: Major > > For security reason the "stream" request-map in ecommerce and commonext > controllers have been temporarily commented out. > This issue to fix the specific issue to put back the functionnalities allowed > by the "stream" request-map in ecommerce and commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11348) Temporarily comment out the "stream" request-map in ecommerce controller for security reason
[ https://issues.apache.org/jira/browse/OFBIZ-11348?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11348: Description: A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in ecommerce controller. We will later fix the specific issue in ecommerce to put back the functionnalities allowed by the "stream" request-map in ecommerce controller. (was: A vulnerability has been reported to the OFBiz security team. We were able to quickly and quietly fix it in supported versions, but in the ecommerce component. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in ecommerce controller. We will later fix the specific issue in ecommerce to put back the functionnalities allowed by the "stream" request-map in ecommerce controller.) > Temporarily comment out the "stream" request-map in ecommerce controller for > security reason > > > Key: OFBIZ-11348 > URL: https://issues.apache.org/jira/browse/OFBIZ-11348 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce >Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch > 18.12 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Blocker > Fix For: 17.12.01, Upcoming Branch, Release Branch 18.12 > > > A vulnerability has been reported to the OFBiz security team. To be able to > release the 17.12.01 version with this vulnerability fixed we need to > temporarily comment out the "stream" request-map in ecommerce controller. We > will later fix the specific issue in ecommerce to put back the > functionnalities allowed by the "stream" request-map in ecommerce controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11349) Put back the "stream" request-map in ecommerce and commonext controllers
[ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11349: Description: For security reason the "stream" request-map in ecommerce and commonext controllers have been temporarily commented out. This issue to fix the specific issue to put back the functionnalities allowed by the "stream" request-map in ecommerce controller. was: For security reason the "stream" request-map in ecommerce controller has been temporarily commented out. This issue tp fix the specific issue in ecommerce to put back the functionnalities allowed by the "stream" request-map in ecommerce controller. > Put back the "stream" request-map in ecommerce and commonext controllers > - > > Key: OFBIZ-11349 > URL: https://issues.apache.org/jira/browse/OFBIZ-11349 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Jacques Le Roux >Priority: Major > > For security reason the "stream" request-map in ecommerce and commonext > controllers have been temporarily commented out. > This issue to fix the specific issue to put back the functionnalities allowed > by the "stream" request-map in ecommerce controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11349) Put back the "stream" request-map in ecommerce and commonext controllers
[ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11349: Description: For security reason the "stream" request-map in ecommerce and commonext controllers have been temporarily commented out. This issue to fix the specific issue to put back the functionnalities allowed by the "stream" request-map in ecommerce and commonext controller. was: For security reason the "stream" request-map in ecommerce and commonext controllers have been temporarily commented out. This issue to fix the specific issue to put back the functionnalities allowed by the "stream" request-map in ecommerce controller. > Put back the "stream" request-map in ecommerce and commonext controllers > - > > Key: OFBIZ-11349 > URL: https://issues.apache.org/jira/browse/OFBIZ-11349 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Jacques Le Roux >Priority: Major > > For security reason the "stream" request-map in ecommerce and commonext > controllers have been temporarily commented out. > This issue to fix the specific issue to put back the functionnalities allowed > by the "stream" request-map in ecommerce and commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-11349) Put back the "stream" request-map in ecommerce and commonext controllers
[ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-11349: Summary: Put back the "stream" request-map in ecommerce and commonext controllers (was: Put back the "stream" request-map in ecommerce controller) > Put back the "stream" request-map in ecommerce and commonext controllers > - > > Key: OFBIZ-11349 > URL: https://issues.apache.org/jira/browse/OFBIZ-11349 > Project: OFBiz > Issue Type: Bug > Components: ecommerce >Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12 >Reporter: Jacques Le Roux >Priority: Major > > For security reason the "stream" request-map in ecommerce controller has been > temporarily commented out. > This issue tp fix the specific issue in ecommerce to put back the > functionnalities allowed by the "stream" request-map in ecommerce controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-11353) Temporarily comment out the "stream" request-map in commonext controller.xml for security reason
Jacques Le Roux created OFBIZ-11353: --- Summary: Temporarily comment out the "stream" request-map in commonext controller.xml for security reason Key: OFBIZ-11353 URL: https://issues.apache.org/jira/browse/OFBIZ-11353 Project: OFBiz Issue Type: Bug Components: ALL COMPONENTS Affects Versions: Upcoming Branch, Release Branch 17.12, Release Branch 18.12 Reporter: Jacques Le Roux A vulnerability has been reported to the OFBiz security team. To be able to release the 17.12.01 version with this vulnerability fixed we need to temporarily comment out the "stream" request-map in commonext controller. We will later fix the specific issue to put back the functionnalities allowed by the "stream" request-map in commonext controller. -- This message was sent by Atlassian Jira (v8.3.4#803005)
