svn commit: r1866893 - in /ofbiz/branches/release16.11: ./ applications/accounting/widget/ar/InvoiceScreens.xml
Author: jleroux Date: Fri Sep 13 10:16:20 2019 New Revision: 1866893 URL: http://svn.apache.org/viewvc?rev=1866893=rev Log: "Applied fix from trunk framework for revision: 1866890" r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes Improved: FindArInvoices request needs performance improvement regarding use of EntityListIterator::hasNext method (OFBIZ-11198) FindAPInvoices request does not suffer from this issue nor findInvoice request. This was due to definition Using something similar than fixes the issue Modified: ofbiz/branches/release16.11/ (props changed) ofbiz/branches/release16.11/applications/accounting/widget/ar/InvoiceScreens.xml Propchange: ofbiz/branches/release16.11/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Sep 13 10:16:20 2019 @@ -10,6 +10,6 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273, 1816289,1816291,1816297,1816369,1816373,1816461,1816635,1816795,1818101,1818269,1818273,1818402,1819122,1819136,1819144,1819811,1820823,1820949,1820966,1821012,1821036,1821613,1821965,1822310,1822377,1822383,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825233,1825262,1825444,1825450,1826374,1826592,1826671,1826805,1826938,1828255,1830936,1831234,1831608,1831831,1832577,1832662,1832756,1832944,1833211,1834181,1834191,1835235,1835871,1836144,1838032,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1845418,1845420,1845466,1845544,1845552,1846214,1846594,1846632,1847398,1848263,1848336,1848398,1848444,1848449,1849191,1849193,1849275,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850685,1850914,1850918,1850948,1851200,1851247,1851319,1851805,1851998,1852587,1852818,1853070,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,18566 17,1856667,1857088,1857099,1857180,1857213,1857392,1857617,1857692,1857813,1858141,1858250,1858275,1858312,1858319,1858432,1858444,1858523,1858539,1858933,1858965,1858980,1859012,1859033,1859255,1859263,1859543,1859571,1859576,1859691,1859704,1859796,1859807,1859871,1859877,1859882,1859893,1859968,1859981,1860082,1860141,1860274,1860357,1860526,1860592,1860613,1860797,1861615,1861837,1861859,1861869,1861904,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1864716,1864881,1865811,1865852,1865883,1866259,1866834 +/ofbiz/ofbiz-framework/trunk:1783202,1783388,1784549,1784558,1784708,1785882,1785925,1786079,1786214,1786525,1787047,1787133,1787176,1787535,1787906-1787911,1787949,1789665,1789863,1789874,1790396,1790810,1791277,1791288,1791342,1791346,1791490,1791496,1791625,1791634,1791791,1791804,1792270,1792272,1792275,1792432,1792609,1792638,1793300,1794008,1794132,1796047,1796262,1797733,1798668,1798682,1798796,1798803,1798808,1799088,1799183,1799327,1799417,1799687,1799767,1799793,1799859,1800250,1800780,1800832,1800853,1801094,1801262-1801263,1801273-1801274,1801303,1801316,1801318-1801319,1801336,1801340,1801346,1801349-1801350,1801359,1801742,1802657,1802766,1803525,1804656,1804843,1804847,1804859,1805143,1805558,1805880,1806036,1806220,1806266,1806269,1806951,1807597,1807890,1808834,1809399,1809429,1809594,1809741,1810102,1811794,1812387,1813600,1813617,1813647,1813833,1814277,1814319,1814349,1814392,1814501,1814591,1814642,1814644,1814709,1814873,1814928,1814934,1815059,1816264,1816273,
svn commit: r1866891 - in /ofbiz/ofbiz-framework/branches/release18.12: ./ applications/accounting/widget/ar/InvoiceScreens.xml
Author: jleroux Date: Fri Sep 13 10:16:15 2019 New Revision: 1866891 URL: http://svn.apache.org/viewvc?rev=1866891=rev Log: "Applied fix from trunk for revision: 1866890" r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes Improved: FindArInvoices request needs performance improvement regarding use of EntityListIterator::hasNext method (OFBIZ-11198) FindAPInvoices request does not suffer from this issue nor findInvoice request. This was due to definition Using something similar than fixes the issue Modified: ofbiz/ofbiz-framework/branches/release18.12/ (props changed) ofbiz/ofbiz-framework/branches/release18.12/applications/accounting/widget/ar/InvoiceScreens.xml Propchange: ofbiz/ofbiz-framework/branches/release18.12/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Sep 13 10:16:15 2019 @@ -10,4 +10,4 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1849931,1850015,1850023,1850530,1850647,1850685,1850694,1850711,1850914,1850918,1850921,1850948,1850953,1851006,1851013,1851068,1851074,1851130,1851158,1851200,1851224,1851247,1851254,1851315,1851319,1851350,1851353,1851433,1851500,1851805,1851885,1851998,1852503,1852587,1852818,1852882,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1854683,1855078,1855083,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856212,1856405,1856455,1856459-1856460,1856484,1856598,1856610,1856613,1856617,1856667,1857088,1857099,1857152,1857154,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858092,1858180,1858250,1858256,1858275,1858319,1858347,1858432,1858444,1858483,1858523,1858539,1858965,1858980,1859033,1859055,1859087,1859255,1859263,1859268,1859543,1859571,1859576,1859691,1859694,1859698,1859704,1859708,1859735,1859796,1859800,1859807,1859871,1859877,1859882,1859909,1859911,1859915,1859931,1859968,1859972,1859981,1860082,1860141, 1860274,1860357,1860526,1860592,1860597,1860613,1860797,1861615,1861811,1861815,1861828,1861834,1861837,1861849,1861859,1861869,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1863560,1863838,1863965,1864216,1864716,1864721,1864881,1864891,1864930,1865103,1865344,1865347,1865367,1865370,1865811,1865820,1865852,1865883,1865891,1865924,1866259,1866519,1866834 +/ofbiz/ofbiz-framework/trunk:1849931,1850015,1850023,1850530,1850647,1850685,1850694,1850711,1850914,1850918,1850921,1850948,1850953,1851006,1851013,1851068,1851074,1851130,1851158,1851200,1851224,1851247,1851254,1851315,1851319,1851350,1851353,1851433,1851500,1851805,1851885,1851998,1852503,1852587,1852818,1852882,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1854683,1855078,1855083,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856212,1856405,1856455,1856459-1856460,1856484,1856598,1856610,1856613,1856617,1856667,1857088,1857099,1857152,1857154,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858092,1858180,1858250,1858256,1858275,1858319,1858347,1858432,1858444,1858483,1858523,1858539,1858965,1858980,1859033,1859055,1859087,1859255,1859263,1859268,1859543,1859571,1859576,1859691,1859694,1859698,1859704,1859708,1859735,1859796,1859800,1859807,1859871,1859877,1859882,1859909,1859911,1859915,1859931,1859968,1859972,1859981,1860082,1860141, 1860274,1860357,1860526,1860592,1860597,1860613,1860797,1861615,1861811,1861815,1861828,1861834,1861837,1861849,1861859,1861869,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1863560,1863838,1863965,1864216,1864716,1864721,1864881,1864891,1864930,1865103,1865344,1865347,1865367,1865370,1865811,1865820,1865852,1865883,1865891,1865924,1866259,1866519,1866834,1866890 Modified: ofbiz/ofbiz-framework/branches/release18.12/applications/accounting/widget/ar/InvoiceScreens.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release18.12/applications/accounting/widget/ar/InvoiceScreens.xml?rev=1866891=1866890=1866891=diff == --- ofbiz/ofbiz-framework/branches/release18.12/applications/accounting/widget/ar/InvoiceScreens.xml (original) +++ ofbiz/ofbiz-framework/branches/release18.12/applications/accounting/widget/ar/InvoiceScreens.xml Fri Sep 13 10:16:15 2019 @@ -63,12 +63,7 @@ under the License. - - - - - - + @@ -85,9 +80,7 @@ under the License.
svn commit: r1866892 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ applications/accounting/widget/ar/InvoiceScreens.xml
Author: jleroux Date: Fri Sep 13 10:16:17 2019 New Revision: 1866892 URL: http://svn.apache.org/viewvc?rev=1866892=rev Log: "Applied fix from trunk for revision: 1866890" r1866890 | jleroux | 2019-09-13 12:15:03 +0200 (ven. 13 sept. 2019) | 8 lignes Improved: FindArInvoices request needs performance improvement regarding use of EntityListIterator::hasNext method (OFBIZ-11198) FindAPInvoices request does not suffer from this issue nor findInvoice request. This was due to definition Using something similar than fixes the issue Modified: ofbiz/ofbiz-framework/branches/release17.12/ (props changed) ofbiz/ofbiz-framework/branches/release17.12/applications/accounting/widget/ar/InvoiceScreens.xml Propchange: ofbiz/ofbiz-framework/branches/release17.12/ -- --- svn:mergeinfo (original) +++ svn:mergeinfo Fri Sep 13 10:16:17 2019 @@ -10,4 +10,4 @@ /ofbiz/branches/json-integration-refactoring:1634077-1635900 /ofbiz/branches/multitenant20100310:921280-927264 /ofbiz/branches/release13.07:1547657 -/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835871,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670, 1847715,1847890,1848263,1848336,1848386,1848398,1848441,1848444,1848447,1848449,1848467,1848469,1848745,1848849-1848850,1849021,1849165,1849191,1849193,1849275,1849467,1849528,1849540,1849567,1849693,1850015,1850023,1850530,1850647,1850685,1850694,1850914,1850918,1850948,1850953,1851006,1851068,1851074,1851130,1851158,1851163,1851200,1851247,1851319,1851350,1851805,1851998,1852587,1852818,1853070,1853109,1853691,1853745,1853750,1854306,1854457,1855078,1855287,1855371,1855403,1855488,1855492,1855497,1855501,1855898,1856405,1856455,1856459-1856460,1856484,1856598,1856617,1856667,1857088,1857099,1857173,1857180,1857213,1857392,1857617,1857692,1857813,1858035,1858250,1858256,1858275,1858319,1858432,1858444,1858523,1858539,1858965,1858980,1859033,1859055,1859087,1859255,1859263,1859543,1859571,1859576,1859691,1859694,1859698,1859704,1859708,1859735,1859796,1859800,1859807,1859871,1859877,1859882,1859915,1859931,1859968,1859972,1859981,1860082,1860141,1860274,1860357,1860526,1860592,18606 13,1860797,1861615,1861837,1861849,1861859,1861869,1862045-1862046,1862207,1862271,1862278,1862466,1862648,1863560,1864716,1864721,1864881,1864891,1864930,1865344,1865347,1865367,1865370,1865811,1865852,1865883,1865891,1865924,1866259,1866834 +/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1819947,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826780,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835871,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420,1845466,1845544,1845552,1845558,1845933,1845995,1846097,1846107,1846214,1846594,1846632,1847398,1847478,1847670,
svn commit: r1866890 - /ofbiz/ofbiz-framework/trunk/applications/accounting/widget/ar/InvoiceScreens.xml
Author: jleroux Date: Fri Sep 13 10:15:03 2019 New Revision: 1866890 URL: http://svn.apache.org/viewvc?rev=1866890=rev Log: Improved: FindArInvoices request needs performance improvement regarding use of EntityListIterator::hasNext method (OFBIZ-11198) FindAPInvoices request does not suffer from this issue nor findInvoice request. This was due to definition Using something similar than fixes the issue Modified: ofbiz/ofbiz-framework/trunk/applications/accounting/widget/ar/InvoiceScreens.xml Modified: ofbiz/ofbiz-framework/trunk/applications/accounting/widget/ar/InvoiceScreens.xml URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/accounting/widget/ar/InvoiceScreens.xml?rev=1866890=1866889=1866890=diff == --- ofbiz/ofbiz-framework/trunk/applications/accounting/widget/ar/InvoiceScreens.xml (original) +++ ofbiz/ofbiz-framework/trunk/applications/accounting/widget/ar/InvoiceScreens.xml Fri Sep 13 10:15:03 2019 @@ -63,12 +63,7 @@ under the License. - - - - - - + @@ -85,9 +80,7 @@ under the License. - - - +
buildbot success in on ofbizTrunkFramework
The Buildbot has detected a restored build on builder ofbizTrunkFramework while building . Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/1051 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch ofbiz/ofbiz-framework/trunk] 1866890 Blamelist: jleroux Build succeeded! Sincerely, -The Buildbot
svn propchange: r1850015 - svn:log
Author: jleroux Revision: 1850015 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:20:23 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:20:23 2019 @@ -1,6 +1,8 @@ Improved: Prepare the migration to XStream 1.5 (OFBIZ-10756) +Fixes CVE-2018-17200 + We currently use the UnsupportedClassConverter method in UtilXml class. When the 1.5 version of XStream will be available another way to handle this kind of things will be available and used by default. It's already possible to
svn propchange: r1850019 - svn:log
Author: jleroux Revision: 1850019 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:20:40 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:20:40 2019 @@ -1,6 +1,8 @@ Improved: Prepare the migration to XStream 1.5 (OFBIZ-10756) +Fixes CVE-2018-17200 + Updates XStream to 1.4.11.1 The previous version was not already supporting XStream::setupDefaultSecurity
svn propchange: r1850017 - svn:log
Author: jleroux Revision: 1850017 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:20:19 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:20:19 2019 @@ -5,6 +5,8 @@ r1850015 | jleroux | 2018-12-31 07:38:36 Improved: Prepare the migration to XStream 1.5 (OFBIZ-10756) +Fixes CVE-2018-17200 + We currently use the UnsupportedClassConverter method in UtilXml class. When the 1.5 version of XStream will be available another way to handle this kind of things will be available and used by default. It's already possible to
svn propchange: r1850016 - svn:log
Author: jleroux Revision: 1850016 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:21:22 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:21:22 2019 @@ -5,6 +5,8 @@ r1850015 | jleroux | 2018-12-31 07:38:36 Improved: Prepare the migration to XStream 1.5 (OFBIZ-10756) +Fixes CVE-2018-17200 + We currently use the UnsupportedClassConverter method in UtilXml class. When the 1.5 version of XStream will be available another way to handle this kind of things will be available and used by default. It's already possible to
svn propchange: r1850018 - svn:log
Author: jleroux Revision: 1850018 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:21:54 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:21:54 2019 @@ -5,6 +5,8 @@ r1850015 | jleroux | 2018-12-31 07:38:36 Improved: Prepare the migration to XStream 1.5 (OFBIZ-10756) +Fixes CVE-2018-17200 + We currently use the UnsupportedClassConverter method in UtilXml class. When the 1.5 version of XStream will be available another way to handle this kind of things will be available and used by default. It's already possible to
svn propchange: r1850648 - svn:log
Author: jleroux Revision: 1850648 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:24:43 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:24:43 2019 @@ -5,6 +5,8 @@ r1850647 | jleroux | 2019-01-07 15:46:50 Improved: Update Apache commons-fileupload to last version (OFBIZ-10770) +Fixes CVE-2019-0189 + This is an easy doing, we just need to add compile 'commons-fileupload:commons-fileupload:1.3-3'
svn propchange: r1850647 - svn:log
Author: jleroux Revision: 1850647 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:24:25 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:24:25 2019 @@ -1,6 +1,8 @@ Improved: Update Apache commons-fileupload to last version (OFBIZ-10770) +Fixes CVE-2019-0189 + This is an easy doing, we just need to add compile 'commons-fileupload:commons-fileupload:1.3-3'
svn propchange: r1850649 - svn:log
Author: jleroux Revision: 1850649 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:25:06 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:25:06 2019 @@ -5,6 +5,8 @@ r1850647 | jleroux | 2019-01-07 15:46:50 Improved: Update Apache commons-fileupload to last version (OFBIZ-10770) +Fixes CVE-2019-0189 + This is an easy doing, we just need to add compile 'commons-fileupload:commons-fileupload:1.3-3'
svn propchange: r1850640 - svn:log
Author: jleroux Revision: 1850640 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:25:36 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:25:36 2019 @@ -1,6 +1,8 @@ Improved: Update Apache commons-fileupload to last version (OFBIZ-10770) +Fixes CVE-2019-0189 + This is an easy doing, we just need to add compile 'commons-fileupload:commons-fileupload:1.3-3'
svn propchange: r1853745 - svn:log
Author: jleroux Revision: 1853745 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:27:59 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:27:59 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list I used was not complete. This adds "java.util.HashMap", "Boolean", "Number", "Integer" which are the ones missing I found so far.
svn propchange: r1855287 - svn:log
Author: jleroux Revision: 1855287 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:28:29 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:28:29 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Rohit at OFBIZ-10573 This adds FlexibleStringExpander
svn propchange: r1855492 - svn:log
Author: jleroux Revision: 1855492 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:29:05 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:29:05 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.util.Date
svn propchange: r1855488 - svn:log
Author: jleroux Revision: 1855488 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:28:53 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:28:53 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.sql.Timestamp
svn propchange: r1855371 - svn:log
Author: jleroux Revision: 1855371 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:28:42 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:28:42 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Deepak at OFBIZ-10837 This adds sun.util.calendar.ZoneInfo
svn propchange: r1853691 - svn:log
Author: jleroux Revision: 1853691 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:27:42 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:27:42 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object
svn propchange: r1857392 - svn:log
Author: jleroux Revision: 1857392 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:30:14 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:30:14 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Cleans and simplifies things in UtilObject.java and also handles patterns. That's what we missed most when needing to update.
svn propchange: r1856459 - svn:log
Author: jleroux Revision: 1856459 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:29:40 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:29:40 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + There was a recurring typo in previous commit. For arrays of primitives it should be "[Z","[B","[S","[I","[J","[F","[D","[C"
svn propchange: r1856460 - svn:log
Author: jleroux Revision: 1856460 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:29:51 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:29:51 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + There was a recurring typo in previous commit. For arrays of primitives it should be "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C"
svn propchange: r1856484 - svn:log
Author: jleroux Revision: 1856484 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:30:03 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:30:03 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds org.apache.ofbiz.widget.model.ModelTheme
svn propchange: r1856405 - svn:log
Author: jleroux Revision: 1856405 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:29:16 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:29:16 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.math.BigDecimal and "[B" (ie [B == byte[] and I don't understand
svn propchange: r1856455 - svn:log
Author: jleroux Revision: 1856455 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:29:27 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:29:27 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds all arrays of primitives and java.math.BigDecimal
svn propchange: r1855372 - svn:log
Author: jleroux Revision: 1855372 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:32:11 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:32:11 2019 @@ -5,6 +5,8 @@ r1855371 | jleroux | 2019-03-13 09:19:32 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Deepak at OFBIZ-10837 This adds sun.util.calendar.ZoneInfo
svn propchange: r1855288 - svn:log
Author: jleroux Revision: 1855288 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:32:00 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:32:00 2019 @@ -5,6 +5,8 @@ r1855287 | jleroux | 2019-03-12 09:29:37 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Rohit at OFBIZ-10573 This adds FlexibleStringExpander
svn propchange: r1855489 - svn:log
Author: jleroux Revision: 1855489 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:32:21 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:32:21 2019 @@ -5,6 +5,8 @@ r1855488 | jleroux | 2019-03-14 08:42:17 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.sql.Timestamp
svn propchange: r1866834 - svn:log
Author: jleroux Revision: 1866834 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:30:24 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:30:24 2019 @@ -1,6 +1,8 @@ Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Allows users to easily override the list of accepted objects by using the listOfSafeObjectsForInputStream property
svn propchange: r1853746 - svn:log
Author: jleroux Revision: 1853746 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:31:05 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:31:05 2019 @@ -5,6 +5,8 @@ r1853745 | jleroux | 2019-02-17 13:38:06 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list I used was not complete. This adds "java.util.HashMap", "Boolean", "Number", "Integer" which are the ones missing I found so far.
svn propchange: r1853692 - svn:log
Author: jleroux Revision: 1853692 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:30:54 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:30:54 2019 @@ -5,6 +5,8 @@ r1853691 | jleroux | 2019-02-16 10:42:03 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object
svn propchange: r1866835 - svn:log
Author: jleroux Revision: 1866835 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:30:40 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:30:40 2019 @@ -5,6 +5,8 @@ r1866834 | jleroux | 2019-09-12 09:49:41 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Allows users to easily override the list of accepted objects by using the listOfSafeObjectsForInputStream property
svn propchange: r1856456 - svn:log
Author: jleroux Revision: 1856456 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:33:00 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:33:00 2019 @@ -5,6 +5,8 @@ r1856455 | jleroux | 2019-03-28 08:50:32 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds all arrays of primitives and java.math.BigDecimal
svn propchange: r1855493 - svn:log
Author: jleroux Revision: 1855493 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:32:39 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:32:39 2019 @@ -5,6 +5,8 @@ r1855492 | jleroux | 2019-03-14 09:28:27 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.util.Date
svn propchange: r1856461 - svn:log
Author: jleroux Revision: 1856461 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:33:11 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:33:11 2019 @@ -5,6 +5,8 @@ r1856460 | jleroux | 2019-03-28 09:30:21 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + There was a recurring typo in previous commit. For arrays of primitives it should be "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C"
svn propchange: r1856406 - svn:log
Author: jleroux Revision: 1856406 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:32:49 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:32:49 2019 @@ -5,6 +5,8 @@ r1856405 | jleroux | 2019-03-27 15:16:24 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.math.BigDecimal and "[B" (ie [B == byte[] and I don't understand
svn propchange: r1853694 - svn:log
Author: jleroux Revision: 1853694 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:33:52 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:33:52 2019 @@ -5,6 +5,8 @@ r1853691 | jleroux | 2019-02-16 10:42:03 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object
svn propchange: r1857393 - svn:log
Author: jleroux Revision: 1857393 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:33:32 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:33:32 2019 @@ -5,6 +5,8 @@ r1857392 | jleroux | 2019-04-12 11:29:03 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Cleans and simplifies things in UtilObject.java and also handles patterns. That's what we missed most when needing to update.
svn propchange: r1856485 - svn:log
Author: jleroux Revision: 1856485 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:33:23 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:33:23 2019 @@ -5,6 +5,8 @@ r1856484 | jleroux | 2019-03-28 16:36:13 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds org.apache.ofbiz.widget.model.ModelTheme
svn propchange: r1866835 - svn:log
Author: jleroux Revision: 1866835 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:33:42 2019 -- (empty)
svn propchange: r1853747 - svn:log
Author: jleroux Revision: 1853747 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:36:17 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:36:17 2019 @@ -5,6 +5,8 @@ r1853745 | jleroux | 2019-02-17 13:38:06 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list I used was not complete. This adds "java.util.HashMap", "Boolean", "Number", "Integer" which are the ones missing I found so far.
svn propchange: r1855289 - svn:log
Author: jleroux Revision: 1855289 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:36:28 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:36:28 2019 @@ -5,6 +5,8 @@ r1855287 | jleroux | 2019-03-12 09:29:37 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Rohit at OFBIZ-10573 This adds FlexibleStringExpander
svn propchange: r1855490 - svn:log
Author: jleroux Revision: 1855490 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:36:49 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:36:49 2019 @@ -5,6 +5,8 @@ r1855488 | jleroux | 2019-03-14 08:42:17 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.sql.Timestamp
svn propchange: r1855373 - svn:log
Author: jleroux Revision: 1855373 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:36:38 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:36:38 2019 @@ -5,6 +5,8 @@ r1855371 | jleroux | 2019-03-13 09:19:32 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Deepak at OFBIZ-10837 This adds sun.util.calendar.ZoneInfo
svn propchange: r1855494 - svn:log
Author: jleroux Revision: 1855494 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:37:00 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:37:00 2019 @@ -5,6 +5,8 @@ r1855492 | jleroux | 2019-03-14 09:28:27 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.util.Date
svn propchange: r1856407 - svn:log
Author: jleroux Revision: 1856407 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:37:10 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:37:10 2019 @@ -5,6 +5,8 @@ r1856405 | jleroux | 2019-03-27 15:16:24 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.math.BigDecimal and "[B" (ie [B == byte[] and I don't understand
svn propchange: r1855290 - svn:log
Author: jleroux Revision: 1855290 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:38:44 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:38:44 2019 @@ -5,6 +5,8 @@ r1855287 | jleroux | 2019-03-12 09:29:37 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Rohit at OFBIZ-10573 This adds FlexibleStringExpander @@ -13,4 +15,3 @@ Anyway I'll not change it. Thanks: Rohit Koushal -
svn propchange: r1853695 - svn:log
Author: jleroux Revision: 1853695 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:38:21 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:38:21 2019 @@ -5,6 +5,8 @@ r1853691 | jleroux | 2019-02-16 10:42:03 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + As reported by FindBugs and Sonar, it's troubling (a Bad practice in Sonar[1], a code smell in Findbugs[2]) when extending to use the same name than the extended Object @@ -12,4 +14,3 @@ extended Object [1] https://sbforge.org/sonar/rules/show/findbugs:NM_SAME_SIMPLE_NAME_AS_SUPERCLASS?layout=false [2] https://logging.apache.org/log4j/log4j-2.2/log4j-jul/findbugs.html -
svn propchange: r1853748 - svn:log
Author: jleroux Revision: 1853748 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:38:33 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:38:33 2019 @@ -5,10 +5,11 @@ r1853745 | jleroux | 2019-02-17 13:38:06 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list I used was not complete. This adds "java.util.HashMap", "Boolean", "Number", "Integer" which are the ones missing I found so far. Maybe other classes could still miss OOTB. So I added a warning in SafeObjectInputStream::resolveClass -
svn propchange: r1856457 - svn:log
Author: jleroux Revision: 1856457 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:37:21 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:37:21 2019 @@ -5,6 +5,8 @@ r1856455 | jleroux | 2019-03-28 08:50:32 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds all arrays of primitives and java.math.BigDecimal
svn propchange: r1856462 - svn:log
Author: jleroux Revision: 1856462 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:37:32 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:37:32 2019 @@ -5,6 +5,8 @@ r1856460 | jleroux | 2019-03-28 09:30:21 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + There was a recurring typo in previous commit. For arrays of primitives it should be "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C"
svn propchange: r1856486 - svn:log
Author: jleroux Revision: 1856486 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:37:44 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:37:44 2019 @@ -5,6 +5,8 @@ r1856484 | jleroux | 2019-03-28 16:36:13 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds org.apache.ofbiz.widget.model.ModelTheme
svn propchange: r1857394 - svn:log
Author: jleroux Revision: 1857394 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:37:56 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:37:56 2019 @@ -5,6 +5,8 @@ r1857392 | jleroux | 2019-04-12 11:29:03 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Cleans and simplifies things in UtilObject.java and also handles patterns. That's what we missed most when needing to update.
svn propchange: r1866836 - svn:log
Author: jleroux Revision: 1866836 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:38:07 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:38:07 2019 @@ -5,6 +5,8 @@ r1866834 | jleroux | 2019-09-12 09:49:41 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Allows users to easily override the list of accepted objects by using the listOfSafeObjectsForInputStream property
svn propchange: r1855374 - svn:log
Author: jleroux Revision: 1855374 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:39:55 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:39:55 2019 @@ -5,6 +5,8 @@ r1855371 | jleroux | 2019-03-13 09:19:32 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Deepak at OFBIZ-10837 This adds sun.util.calendar.ZoneInfo
svn propchange: r1855491 - svn:log
Author: jleroux Revision: 1855491 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:40:07 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:40:07 2019 @@ -5,6 +5,8 @@ r1855488 | jleroux | 2019-03-14 08:42:17 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.sql.Timestamp
svn propchange: r1856408 - svn:log
Author: jleroux Revision: 1856408 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:40:31 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:40:31 2019 @@ -5,6 +5,8 @@ r1856405 | jleroux | 2019-03-27 15:16:24 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.math.BigDecimal and "[B" (ie [B == byte[] and I don't understand @@ -15,4 +17,3 @@ Anyway I'll not change it. Thanks: Ingo Wolfmayr at OFBIZ-10870 -
svn propchange: r1856487 - svn:log
Author: jleroux Revision: 1856487 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:41:02 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:41:02 2019 @@ -5,6 +5,8 @@ r1856484 | jleroux | 2019-03-28 16:36:13 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds org.apache.ofbiz.widget.model.ModelTheme @@ -16,4 +18,3 @@ java.util.TimeZonz Thanks: Ed Mack at OFBIZ-10876 -
svn propchange: r1856463 - svn:log
Author: jleroux Revision: 1856463 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:40:52 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:40:52 2019 @@ -5,6 +5,8 @@ r1856460 | jleroux | 2019-03-28 09:30:21 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + There was a recurring typo in previous commit. For arrays of primitives it should be "\\[Z","\\[B","\\[S","\\[I","\\[J","\\[F","\\[D","\\[C" @@ -13,4 +15,3 @@ and not It shows how tired I'm :/ -
svn propchange: r1857395 - svn:log
Author: jleroux Revision: 1857395 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:41:12 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:41:12 2019 @@ -5,6 +5,8 @@ r1857392 | jleroux | 2019-04-12 11:29:03 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Cleans and simplifies things in UtilObject.java and also handles patterns. That's what we missed most when needing to update. @@ -17,4 +19,3 @@ Also includes work done in UtilObject.ja -
svn propchange: r1855495 - svn:log
Author: jleroux Revision: 1855495 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:40:20 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:40:20 2019 @@ -5,6 +5,8 @@ r1855492 | jleroux | 2019-03-14 09:28:27 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Wolfgang Rauchholz on user ML This adds java.util.Date @@ -14,4 +16,3 @@ Anyway I'll not change it. Thanks: Wolfgang Rauchholz -
svn propchange: r1856458 - svn:log
Author: jleroux Revision: 1856458 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:40:41 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:40:41 2019 @@ -5,9 +5,10 @@ r1856455 | jleroux | 2019-03-28 08:50:32 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + The white list was still not complete as reported by Ed Mack This adds all arrays of primitives and java.math.BigDecimal Thanks: Ed Mack at OFBIZ-10876 -
svn propchange: r1866837 - svn:log
Author: jleroux Revision: 1866837 Modified property: svn:log Modified: svn:log at Fri Sep 13 07:41:23 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 07:41:23 2019 @@ -5,10 +5,11 @@ r1866834 | jleroux | 2019-09-12 09:49:41 Improved: Improve ObjectInputStream class (OFBIZ-10837) +Fixes CVE-2019-0189 + Allows users to easily override the list of accepted objects by using the listOfSafeObjectsForInputStream property CVE-2019-0189 -
svn propchange: r1858533 - svn:log
Author: jleroux Revision: 1858533 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:06:19 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:06:19 2019 @@ -3,5 +3,6 @@ r1858523 | lektran | 2019-05-02 10:59:11 +0200 (jeu. 02 mai 2019) | 1 ligne Fixed: Ensure the story field in ordermgr's EditCustRequest form is html encoded (OFBIZ-11006) + +Fixes CVE-2019-10074 -
svn propchange: r1858532 - svn:log
Author: jleroux Revision: 1858532 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:07:16 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:07:16 2019 @@ -3,4 +3,6 @@ r1858523 | lektran | 2019-05-02 10:59:11 +0200 (jeu. 02 mai 2019) | 1 ligne Fixed: Ensure the story field in ordermgr's EditCustRequest form is html encoded (OFBIZ-11006) + +Fixes CVE-2019-10074
svn propchange: r1858531 - svn:log
Author: jleroux Revision: 1858531 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:07:01 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:07:01 2019 @@ -3,4 +3,6 @@ r1858523 | lektran | 2019-05-02 10:59:11 +0200 (jeu. 02 mai 2019) | 1 ligne Fixed: Ensure the story field in ordermgr's EditCustRequest form is html encoded (OFBIZ-11006) + +Fixes CVE-2019-10074
svn propchange: r1858523 - svn:log
Author: jleroux Revision: 1858523 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:06:41 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:06:41 2019 @@ -1 +1,3 @@ Fixed: Ensure the story field in ordermgr's EditCustRequest form is html encoded (OFBIZ-11006) + +Fixes CVE-2019-10074
svn propchange: r1858432 - svn:log
Author: jleroux Revision: 1858432 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:11:54 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:11:54 2019 @@ -1,3 +1,5 @@ [Fixed]: Added permission checks to three blog/forum services; improved the configuration for the "add article forum" form (the source tab is not needed in the ecommerce application). + +Fixes CVE-2019-10073
svn propchange: r1858436 - svn:log
Author: jleroux Revision: 1858436 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:13:28 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:13:28 2019 @@ -5,3 +5,4 @@ Applied fix from trunk for revision: 185 configuration for the "add article forum" form (the source tab is not needed in the ecommerce application). +Fixes CVE-2019-10073
svn propchange: r1858438 - svn:log
Author: jleroux Revision: 1858438 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:13:36 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:13:36 2019 @@ -5,3 +5,4 @@ Applied fix from trunk for revision: 185 configuration for the "add article forum" form (the source tab is not needed in the ecommerce application). +Fixes CVE-2019-10073
svn propchange: r1858437 - svn:log
Author: jleroux Revision: 1858437 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:18:23 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:18:23 2019 @@ -5,3 +5,4 @@ Applied fix from trunk for revision: 185 configuration for the "add article forum" form (the source tab is not needed in the ecommerce application). +Fixes CVE-2019-10073
svn propchange: r1858539 - svn:log
Author: jleroux Revision: 1858539 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:21:21 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:21:21 2019 @@ -2,3 +2,5 @@ Improved: Replaced permission-service wi perform permission checks in a way that is more consistent with the screen permissions set in the ecommerce blog/forum screens. +Fixes CVE-2019-10073 +
svn propchange: r1858541 - svn:log
Author: jleroux Revision: 1858541 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:21:30 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:21:30 2019 @@ -5,4 +5,4 @@ Improved: Replaced permission-service wi perform permission checks in a way that is more consistent with the screen permissions set in the ecommerce blog/forum screens. - +Fixes CVE-2019-10073
svn propchange: r1858540 - svn:log
Author: jleroux Revision: 1858540 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:21:26 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:21:26 2019 @@ -5,4 +5,4 @@ Improved: Replaced permission-service wi perform permission checks in a way that is more consistent with the screen permissions set in the ecommerce blog/forum screens. - +Fixes CVE-2019-10073
svn propchange: r1860593 - svn:log
Author: jleroux Revision: 1860593 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:22:44 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:22:44 2019 @@ -4,3 +4,4 @@ Applied fix from trunk for revision: 186 Fixed: removed override directives to let the system perform proper validation of user input. +Fixes CVE-2019-10073
svn propchange: r1860595 - svn:log
Author: jleroux Revision: 1860595 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:22:56 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:22:56 2019 @@ -4,3 +4,4 @@ Applied fix from trunk for revision: 186 Fixed: removed override directives to let the system perform proper validation of user input. +Fixes CVE-2019-10073
svn propchange: r1860592 - svn:log
Author: jleroux Revision: 1860592 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:22:40 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:22:40 2019 @@ -1,2 +1,4 @@ Fixed: removed override directives to let the system perform proper validation of user input. + +Fixes CVE-2019-10073
svn propchange: r1860594 - svn:log
Author: jleroux Revision: 1860594 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:22:47 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:22:47 2019 @@ -4,3 +4,4 @@ Applied fix from trunk for revision: 186 Fixed: removed override directives to let the system perform proper validation of user input. +Fixes CVE-2019-10073
svn propchange: r1860594 - svn:log
Author: jleroux Revision: 1860594 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:22:25 2019 -- (empty)
svn propchange: r1858543 - svn:log
Author: jleroux Revision: 1858543 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:21:34 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:21:34 2019 @@ -5,4 +5,4 @@ Improved: Replaced permission-service wi perform permission checks in a way that is more consistent with the screen permissions set in the ecommerce blog/forum screens. - +Fixes CVE-2019-10073
svn propchange: r1860614 - svn:log
Author: jleroux Revision: 1860614 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:23:55 2019 -- (empty)
svn propchange: r1860613 - svn:log
Author: jleroux Revision: 1860613 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:24:06 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:24:06 2019 @@ -1,2 +1,4 @@ Fixed: fine tuned the sanitization of user input by allowing "safe" content; thanks to Jacques for the suggestion. + +Fixes CVE-2019-10073
svn propchange: r1860614 - svn:log
Author: jleroux Revision: 1860614 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:23:47 2019 -- (empty)
svn propchange: r1860615 - svn:log
Author: jleroux Revision: 1860615 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:24:17 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:24:17 2019 @@ -4,3 +4,4 @@ Applied fix from trunk for revision: 186 Fixed: fine tuned the sanitization of user input by allowing "safe" content; thanks to Jacques for the suggestion. +Fixes CVE-2019-10073
svn propchange: r1860616 - svn:log
Author: jleroux Revision: 1860616 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:24:24 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:24:24 2019 @@ -4,3 +4,4 @@ Applied fix from trunk for revision: 186 Fixed: fine tuned the sanitization of user input by allowing "safe" content; thanks to Jacques for the suggestion. +Fixes CVE-2019-10073
svn propchange: r1860614 - svn:log
Author: jleroux Revision: 1860614 Modified property: svn:log Modified: svn:log at Fri Sep 13 08:24:10 2019 -- --- svn:log (original) +++ svn:log Fri Sep 13 08:24:10 2019 @@ -4,3 +4,4 @@ Applied fix from trunk for revision: 186 Fixed: fine tuned the sanitization of user input by allowing "safe" content; thanks to Jacques for the suggestion. +Fixes CVE-2019-10073