[jira] [Closed] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz closed OFBIZ-12059. -- Resolution: Fixed > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232861#comment-17232861 ] ASF subversion and git services commented on OFBIZ-12059: - Commit cf28c487ba4e9949bb97197af01303c056c6907c in ofbiz-plugins's branch refs/heads/trunk from Olivier Heintz [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=cf28c48 ] Documented: Synchronize wiki page End User Documentation (OFBIZ-12059) - Add assetm.adoc with only overview for plugin assetmaint - Completed projectmgr overview > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232855#comment-17232855 ] ASF subversion and git services commented on OFBIZ-12059: - Commit 98631771aa884ca573f8ad99b820dc8252024a11 in ofbiz-framework's branch refs/heads/trunk from Olivier Heintz [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9863177 ] Documented: Synchronize wiki page End User Documentation (OFBIZ-12059) - Add facility.adoc with only overview - Correction for Content Management title - in General glossary, add link to main components - Complete Order management overview - Add a short overview for Party - Ordered applications in user-manual in alphabetic order > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz reassigned OFBIZ-12059: -- Assignee: Olivier Heintz > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12059) Synchronize wiki page End User Documentation
Olivier Heintz created OFBIZ-12059: -- Summary: Synchronize wiki page End User Documentation Key: OFBIZ-12059 URL: https://issues.apache.org/jira/browse/OFBIZ-12059 Project: OFBiz Issue Type: Sub-task Affects Versions: Trunk Reporter: Olivier Heintz Synchronize this page with User-manual (in asciidoc format) check that all informations in this page are in a asciidoc file If necessary update asciidoc files -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12058) Migration/synchronization wiki - asciidoc for user-manual
Olivier Heintz created OFBIZ-12058: -- Summary: Migration/synchronization wiki - asciidoc for user-manual Key: OFBIZ-12058 URL: https://issues.apache.org/jira/browse/OFBIZ-12058 Project: OFBiz Issue Type: Improvement Affects Versions: Trunk Reporter: Olivier Heintz Umbrella task for All tasks which will check for a wiki page if its content exist in a asciidoc file or if its content is no longer relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-12057: Description: Shuibo Ye reported a possible arbitary file write using webtools/control/EntitySQLProcessor. {quote} In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. {quote} Note: this is a post-auth vuln., So we did not create a CVE was: Shuibo Ye reported a possible arbitary file write using webtools/control/EntitySQLProcessor. {quote} In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. {quote} > Prevent arbitary file write using webtools/control/EntitySQLProcessor. > -- > > Key: OFBIZ-12057 > URL: https://issues.apache.org/jira/browse/OFBIZ-12057 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Shuibo Ye reported a possible arbitary file write using > webtools/control/EntitySQLProcessor. > {quote} > In the "SQL Command" part, I create a table and insert some strings and > export the table to a file *one sentence at a time*. > PoC: CREATE TABLE "test" (string VARCHAR(80)) > INSERT INTO "test" (string) VALUES ('<%= > system.getProperty("user.dir") %>') > call > SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) > After executing the three sentences,I successfully write the file and its url > is https://localhost:8443/webtools/default.jsp. > {quote} > Note: this is a post-auth vuln., So we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Closed] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-12057. --- Fix Version/s: 17.12.05 18.12.01 Resolution: Fixed > Prevent arbitary file write using webtools/control/EntitySQLProcessor. > -- > > Key: OFBIZ-12057 > URL: https://issues.apache.org/jira/browse/OFBIZ-12057 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 18.12.01, 17.12.05 > > > Shuibo Ye reported a possible arbitary file write using > webtools/control/EntitySQLProcessor. > {quote} > In the "SQL Command" part, I create a table and insert some strings and > export the table to a file *one sentence at a time*. > PoC: CREATE TABLE "test" (string VARCHAR(80)) > INSERT INTO "test" (string) VALUES ('<%= > system.getProperty("user.dir") %>') > call > SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) > After executing the three sentences,I successfully write the file and its url > is https://localhost:8443/webtools/default.jsp. > {quote} > Note: this is a post-auth vuln., So we did not create a CVE -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232745#comment-17232745 ] ASF subversion and git services commented on OFBIZ-12057: - Commit f34a0d9ff584ff139b9d302ba46a6243138107c1 in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=f34a0d9 ] Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057) Shuibo Ye reported a possible arbitary file write using webtools/control/EntitySQLProcessor. In the "SQL Command" part, I create a table and insert some strings and export the table to a file one sentence at a time. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more could be added if necessary > Prevent arbitary file write using webtools/control/EntitySQLProcessor. > -- > > Key: OFBIZ-12057 > URL: https://issues.apache.org/jira/browse/OFBIZ-12057 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Shuibo Ye reported a possible arbitary file write using > webtools/control/EntitySQLProcessor. > {quote} > In the "SQL Command" part, I create a table and insert some strings and > export the table to a file *one sentence at a time*. > PoC: CREATE TABLE "test" (string VARCHAR(80)) > INSERT INTO "test" (string) VALUES ('<%= > system.getProperty("user.dir") %>') > call > SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) > After executing the three sentences,I successfully write the file and its url > is https://localhost:8443/webtools/default.jsp. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232744#comment-17232744 ] ASF subversion and git services commented on OFBIZ-12057: - Commit 792f45773fd062fe1f57f5b1af9da9e65637ec54 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=792f457 ] Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057) Shuibo Ye reported a possible arbitary file write using webtools/control/EntitySQLProcessor. In the "SQL Command" part, I create a table and insert some strings and export the table to a file one sentence at a time. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more could be added if necessary > Prevent arbitary file write using webtools/control/EntitySQLProcessor. > -- > > Key: OFBIZ-12057 > URL: https://issues.apache.org/jira/browse/OFBIZ-12057 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Shuibo Ye reported a possible arbitary file write using > webtools/control/EntitySQLProcessor. > {quote} > In the "SQL Command" part, I create a table and insert some strings and > export the table to a file *one sentence at a time*. > PoC: CREATE TABLE "test" (string VARCHAR(80)) > INSERT INTO "test" (string) VALUES ('<%= > system.getProperty("user.dir") %>') > call > SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) > After executing the three sentences,I successfully write the file and its url > is https://localhost:8443/webtools/default.jsp. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[ https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232743#comment-17232743 ] ASF subversion and git services commented on OFBIZ-12057: - Commit 28a6d4391a2c309f30b6320733fd9f9d8eb1711f in ofbiz-framework's branch refs/heads/release17.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=28a6d43 ] Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor. (OFBIZ-12057) Shuibo Ye reported a possible arbitary file write using webtools/control/EntitySQLProcessor. In the "SQL Command" part, I create a table and insert some strings and export the table to a file one sentence at a time. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more could be added if necessary > Prevent arbitary file write using webtools/control/EntitySQLProcessor. > -- > > Key: OFBIZ-12057 > URL: https://issues.apache.org/jira/browse/OFBIZ-12057 > Project: OFBiz > Issue Type: Sub-task > Components: framework/webtools >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > > Shuibo Ye reported a possible arbitary file write using > webtools/control/EntitySQLProcessor. > {quote} > In the "SQL Command" part, I create a table and insert some strings and > export the table to a file *one sentence at a time*. > PoC: CREATE TABLE "test" (string VARCHAR(80)) > INSERT INTO "test" (string) VALUES ('<%= > system.getProperty("user.dir") %>') > call > SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) > After executing the three sentences,I successfully write the file and its url > is https://localhost:8443/webtools/default.jsp. > {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
Jacques Le Roux created OFBIZ-12057: --- Summary: Prevent arbitary file write using webtools/control/EntitySQLProcessor. Key: OFBIZ-12057 URL: https://issues.apache.org/jira/browse/OFBIZ-12057 Project: OFBiz Issue Type: Sub-task Components: framework/webtools Affects Versions: Trunk Reporter: Jacques Le Roux Assignee: Jacques Le Roux Shuibo Ye reported a possible arbitary file write using webtools/control/EntitySQLProcessor. {quote} In the "SQL Command" part, I create a table and insert some strings and export the table to a file *one sentence at a time*. PoC: CREATE TABLE "test" (string VARCHAR(80)) INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>') call SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null) After executing the three sentences,I successfully write the file and its url is https://localhost:8443/webtools/default.jsp. {quote} -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-10390) New documentation for EntitySync
[ https://issues.apache.org/jira/browse/OFBIZ-10390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-10390: --- Labels: Documentation (was: ) > New documentation for EntitySync > > > Key: OFBIZ-10390 > URL: https://issues.apache.org/jira/browse/OFBIZ-10390 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Labels: Documentation > Fix For: Upcoming Branch > > > The [current EntitySync documentation in > wiki|https://cwiki.apache.org/confluence/display/OFBIZ/Sync+Setup+Notes+and+Example] > is POS oriented so somehow deprecated. > I have recently worked on a project with EntitySync and collected as much > possible information. I also got David E. Jones's agreement to reuse the part > on EntitySync in his 2006 "Apache OFBiz Advanced Framework - Training Video > Transcription" document. > So I'll create an Asciidoc file: > framework/entityext/src/doc/asciidoc/EntitySync-manual.adoc and will fill it > with all the available information I have. -- This message was sent by Atlassian Jira (v8.3.4#803005)