[jira] [Closed] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz closed OFBIZ-12059. -- Resolution: Fixed > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232861#comment-17232861 ] ASF subversion and git services commented on OFBIZ-12059: - Commit cf28c487ba4e9949bb97197af01303c056c6907c in ofbiz-plugins's branch refs/heads/trunk from Olivier Heintz [ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=cf28c48 ] Documented: Synchronize wiki page End User Documentation (OFBIZ-12059) - Add assetm.adoc with only overview for plugin assetmaint - Completed projectmgr overview > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232855#comment-17232855 ] ASF subversion and git services commented on OFBIZ-12059: - Commit 98631771aa884ca573f8ad99b820dc8252024a11 in ofbiz-framework's branch refs/heads/trunk from Olivier Heintz [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=9863177 ] Documented: Synchronize wiki page End User Documentation (OFBIZ-12059) - Add facility.adoc with only overview - Correction for Content Management title - in General glossary, add link to main components - Complete Order management overview - Add a short overview for Party - Ordered applications in user-manual in alphabetic order > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (OFBIZ-12059) Synchronize wiki page End User Documentation
[ https://issues.apache.org/jira/browse/OFBIZ-12059?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz reassigned OFBIZ-12059: -- Assignee: Olivier Heintz > Synchronize wiki page End User Documentation > > > Key: OFBIZ-12059 > URL: https://issues.apache.org/jira/browse/OFBIZ-12059 > Project: OFBiz > Issue Type: Sub-task >Affects Versions: Trunk >Reporter: Olivier Heintz >Assignee: Olivier Heintz >Priority: Major > > Synchronize this page with User-manual (in asciidoc format) > check that all informations in this page are in a asciidoc file > If necessary update asciidoc files > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12059) Synchronize wiki page End User Documentation
Olivier Heintz created OFBIZ-12059: -- Summary: Synchronize wiki page End User Documentation Key: OFBIZ-12059 URL: https://issues.apache.org/jira/browse/OFBIZ-12059 Project: OFBiz Issue Type: Sub-task Affects Versions: Trunk Reporter: Olivier Heintz Synchronize this page with User-manual (in asciidoc format) check that all informations in this page are in a asciidoc file If necessary update asciidoc files -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OFBIZ-12058) Migration/synchronization wiki - asciidoc for user-manual
Olivier Heintz created OFBIZ-12058: -- Summary: Migration/synchronization wiki - asciidoc for user-manual Key: OFBIZ-12058 URL: https://issues.apache.org/jira/browse/OFBIZ-12058 Project: OFBiz Issue Type: Improvement Affects Versions: Trunk Reporter: Olivier Heintz Umbrella task for All tasks which will check for a wiki page if its content exist in a asciidoc file or if its content is no longer relevant. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[
https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-12057:
Description:
Shuibo Ye reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
{quote}
In the "SQL Command" part, I create a table and insert some strings and export
the table to a file *one sentence at a time*.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir")
%>')
call
SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its url
is https://localhost:8443/webtools/default.jsp.
{quote}
Note: this is a post-auth vuln., So we did not create a CVE
was:
Shuibo Ye reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
{quote}
In the "SQL Command" part, I create a table and insert some strings and export
the table to a file *one sentence at a time*.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir")
%>')
call
SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its url
is https://localhost:8443/webtools/default.jsp.
{quote}
> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> --
>
> Key: OFBIZ-12057
> URL: https://issues.apache.org/jira/browse/OFBIZ-12057
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> Shuibo Ye reported a possible arbitary file write using
> webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and
> export the table to a file *one sentence at a time*.
> PoC: CREATE TABLE "test" (string VARCHAR(80))
> INSERT INTO "test" (string) VALUES ('<%=
> system.getProperty("user.dir") %>')
> call
> SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url
> is https://localhost:8443/webtools/default.jsp.
> {quote}
> Note: this is a post-auth vuln., So we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Closed] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[
https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-12057.
---
Fix Version/s: 17.12.05
18.12.01
Resolution: Fixed
> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> --
>
> Key: OFBIZ-12057
> URL: https://issues.apache.org/jira/browse/OFBIZ-12057
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
> Fix For: 18.12.01, 17.12.05
>
>
> Shuibo Ye reported a possible arbitary file write using
> webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and
> export the table to a file *one sentence at a time*.
> PoC: CREATE TABLE "test" (string VARCHAR(80))
> INSERT INTO "test" (string) VALUES ('<%=
> system.getProperty("user.dir") %>')
> call
> SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url
> is https://localhost:8443/webtools/default.jsp.
> {quote}
> Note: this is a post-auth vuln., So we did not create a CVE
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[
https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232745#comment-17232745
]
ASF subversion and git services commented on OFBIZ-12057:
-
Commit f34a0d9ff584ff139b9d302ba46a6243138107c1 in ofbiz-framework's branch
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=f34a0d9 ]
Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor.
(OFBIZ-12057)
Shuibo Ye reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
In the "SQL Command" part, I create a table and insert some strings and
export the table to a file one sentence at a time.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
call
SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its
url
is https://localhost:8443/webtools/default.jsp.
I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more
could be added if necessary
> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> --
>
> Key: OFBIZ-12057
> URL: https://issues.apache.org/jira/browse/OFBIZ-12057
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> Shuibo Ye reported a possible arbitary file write using
> webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and
> export the table to a file *one sentence at a time*.
> PoC: CREATE TABLE "test" (string VARCHAR(80))
> INSERT INTO "test" (string) VALUES ('<%=
> system.getProperty("user.dir") %>')
> call
> SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url
> is https://localhost:8443/webtools/default.jsp.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[
https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232744#comment-17232744
]
ASF subversion and git services commented on OFBIZ-12057:
-
Commit 792f45773fd062fe1f57f5b1af9da9e65637ec54 in ofbiz-framework's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=792f457 ]
Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor.
(OFBIZ-12057)
Shuibo Ye reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
In the "SQL Command" part, I create a table and insert some strings and
export the table to a file one sentence at a time.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
call
SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its
url
is https://localhost:8443/webtools/default.jsp.
I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more
could be added if necessary
> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> --
>
> Key: OFBIZ-12057
> URL: https://issues.apache.org/jira/browse/OFBIZ-12057
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> Shuibo Ye reported a possible arbitary file write using
> webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and
> export the table to a file *one sentence at a time*.
> PoC: CREATE TABLE "test" (string VARCHAR(80))
> INSERT INTO "test" (string) VALUES ('<%=
> system.getProperty("user.dir") %>')
> call
> SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url
> is https://localhost:8443/webtools/default.jsp.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
[
https://issues.apache.org/jira/browse/OFBIZ-12057?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17232743#comment-17232743
]
ASF subversion and git services commented on OFBIZ-12057:
-
Commit 28a6d4391a2c309f30b6320733fd9f9d8eb1711f in ofbiz-framework's branch
refs/heads/release17.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=28a6d43 ]
Fixed: Prevent arbitary file write using webtools/control/EntitySQLProcessor.
(OFBIZ-12057)
Shuibo Ye reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
In the "SQL Command" part, I create a table and insert some strings and
export the table to a file one sentence at a time.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir") %>')
call
SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its
url
is https://localhost:8443/webtools/default.jsp.
I fixed it preventing execution on SYSCS_UTIL.SYSCS_EXPORT_TABLE and JSP, more
could be added if necessary
> Prevent arbitary file write using webtools/control/EntitySQLProcessor.
> --
>
> Key: OFBIZ-12057
> URL: https://issues.apache.org/jira/browse/OFBIZ-12057
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework/webtools
>Affects Versions: Trunk
>Reporter: Jacques Le Roux
>Assignee: Jacques Le Roux
>Priority: Major
>
> Shuibo Ye reported a possible arbitary file write using
> webtools/control/EntitySQLProcessor.
> {quote}
> In the "SQL Command" part, I create a table and insert some strings and
> export the table to a file *one sentence at a time*.
> PoC: CREATE TABLE "test" (string VARCHAR(80))
> INSERT INTO "test" (string) VALUES ('<%=
> system.getProperty("user.dir") %>')
> call
> SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
> After executing the three sentences,I successfully write the file and its url
> is https://localhost:8443/webtools/default.jsp.
> {quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OFBIZ-12057) Prevent arbitary file write using webtools/control/EntitySQLProcessor.
Jacques Le Roux created OFBIZ-12057:
---
Summary: Prevent arbitary file write using
webtools/control/EntitySQLProcessor.
Key: OFBIZ-12057
URL: https://issues.apache.org/jira/browse/OFBIZ-12057
Project: OFBiz
Issue Type: Sub-task
Components: framework/webtools
Affects Versions: Trunk
Reporter: Jacques Le Roux
Assignee: Jacques Le Roux
Shuibo Ye reported a possible arbitary file write using
webtools/control/EntitySQLProcessor.
{quote}
In the "SQL Command" part, I create a table and insert some strings and export
the table to a file *one sentence at a time*.
PoC: CREATE TABLE "test" (string VARCHAR(80))
INSERT INTO "test" (string) VALUES ('<%= system.getProperty("user.dir")
%>')
call
SYSCS_UTIL.SYSCS_EXPORT_TABLE(null,'test','.\framework\webtools\webapp\webtools\default.jsp',null,'*',null)
After executing the three sentences,I successfully write the file and its url
is https://localhost:8443/webtools/default.jsp.
{quote}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OFBIZ-10390) New documentation for EntitySync
[ https://issues.apache.org/jira/browse/OFBIZ-10390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Olivier Heintz updated OFBIZ-10390: --- Labels: Documentation (was: ) > New documentation for EntitySync > > > Key: OFBIZ-10390 > URL: https://issues.apache.org/jira/browse/OFBIZ-10390 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: Trunk >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Minor > Labels: Documentation > Fix For: Upcoming Branch > > > The [current EntitySync documentation in > wiki|https://cwiki.apache.org/confluence/display/OFBIZ/Sync+Setup+Notes+and+Example] > is POS oriented so somehow deprecated. > I have recently worked on a project with EntitySync and collected as much > possible information. I also got David E. Jones's agreement to reuse the part > on EntitySync in his 2006 "Apache OFBiz Advanced Framework - Training Video > Transcription" document. > So I'll create an Asciidoc file: > framework/entityext/src/doc/asciidoc/EntitySync-manual.adoc and will fill it > with all the available information I have. -- This message was sent by Atlassian Jira (v8.3.4#803005)
