buildbot success in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a restored build on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1381 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 5e1a23de1c6cc92fa10cd6008e2e758cdf7ffe4f Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Improved: fixes checkstyle issue
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new 5e1a23d Improved: fixes checkstyle issue 5e1a23d is described below commit 5e1a23de1c6cc92fa10cd6008e2e758cdf7ffe4f Author: Jacques Le Roux AuthorDate: Mon May 18 22:54:32 2020 +0200 Improved: fixes checkstyle issue --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index b98bddc..ebbbce1 100644 --- a/build.gradle +++ b/build.gradle @@ -286,7 +286,7 @@ checkstyle { // the sum of errors found last time it was changed after using the // ‘checkstyle’ tool present in the framework and in the official // plugins. -tasks.checkstyleMain.maxErrors = 37088 +tasks.checkstyleMain.maxErrors = 37096 // Currently there are a lot of errors so we need to temporarily // hide them to avoid polluting the terminal output. showViolations = false
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new a67508c Improved: Prevent FreeMarker Template Injection (SSTI) a67508c is described below commit a67508c29c1454a07448219cfa700f71132fb248 Author: Jacques Le Roux AuthorDate: Mon May 18 22:51:24 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Better style with line not too long --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index f377e05..d8ff395 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -116,7 +116,8 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); switch (templateClassResolver) { case "UNRESTRICTED_RESOLVER": newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
[ofbiz-framework] branch trunk updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new d640a71 Improved: Prevent FreeMarker Template Injection (SSTI) d640a71 is described below commit d640a711d14e3a2a94c8a73635dd4e63a9eb4bc1 Author: Jacques Le Roux AuthorDate: Mon May 18 22:52:30 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Better style with line not too long --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index c7bf317..1e95731 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -126,7 +126,8 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, MODULE); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); switch (templateClassResolver) { case "UNRESTRICTED_RESOLVER": newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new c7a5b22 Improved: Prevent FreeMarker Template Injection (SSTI) c7a5b22 is described below commit c7a5b22e0ed287cfa4073da8b0037da7567ffea6 Author: Jacques Le Roux AuthorDate: Mon May 18 22:50:28 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) This commit does 2 things: Send a correct commit comment (kind of amendment, w/o push force) Previous code compiled but SAFER_RESOLVER is not a class but a field, better KISS Real change: Better style with line not too long: --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index f6b7222..ffd16b8 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -116,7 +116,8 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); switch (templateClassResolver) { case "UNRESTRICTED_RESOLVER": newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER);
buildbot success in on ofbizBranch17Framework
The Buildbot has detected a restored build on builder ofbizBranch17Framework while building . Full details are available at: https://ci.apache.org/builders/ofbizBranch17Framework/builds/457 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: forced: by IRC user (privmsg): forces manual build after supposed BuildBot error Build Source Stamp: HEAD Blamelist: Build succeeded! Sincerely, -The Buildbot
buildbot failure in on ofbizTrunkFrameworkPlugins
The Buildbot has detected a new failure on builder ofbizTrunkFrameworkPlugins while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFrameworkPlugins/builds/1380 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: downstream Build Source Stamp: [branch trunk] 09baa5537e160fdf00450aedd2bd69ff9776ccaa Blamelist: Jacques Le Roux BUILD FAILED: failed shell_2 shell_5 Sincerely, -The Buildbot
buildbot failure in on ofbizBranch17Framework
The Buildbot has detected a new failure on builder ofbizBranch17Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch17Framework/builds/456 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch17FrameworkCommit' triggered this build Build Source Stamp: [branch release17.12] 78cb3140663c855b02487adf17a6b973317853f1 Blamelist: Jacques Le Roux BUILD FAILED: failed shell_2 Sincerely, -The Buildbot
buildbot success in on ofbizBranch18Framework
The Buildbot has detected a restored build on builder ofbizBranch18Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch18Framework/builds/317 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch18FrameworkCommit' triggered this build Build Source Stamp: [branch release18.12] 191798f3af3125c9229baee2813508be39644dfd Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 191798f Improved: Prevent FreeMarker Template Injection (SSTI) 191798f is described below commit 191798f3af3125c9229baee2813508be39644dfd Author: Jacques Le Roux AuthorDate: Mon May 18 15:37:30 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Fixes a typo: module instead of MODULE --- .../java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 20765fc..f377e05 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -35,7 +35,6 @@ import java.util.TimeZone; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; -import org.apache.ofbiz.base.component.ComponentConfig; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; @@ -129,7 +128,7 @@ public final class FreeMarkerWorker { newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER); break; default: -Debug.logError("Not a TemplateClassResolver.", MODULE); +Debug.logError("Not a TemplateClassResolver.", module); break; } // Transforms properties file set up as key=transform name, property=transform class name
[ofbiz-framework] branch release17.12 updated: Improved: Implemented: Documented: Completed: Reverted: Fixed:
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new 78cb314 Improved: Implemented: Documented: Completed: Reverted: Fixed: 78cb314 is described below commit 78cb3140663c855b02487adf17a6b973317853f1 Author: Jacques Le Roux AuthorDate: Mon May 18 15:26:15 2020 +0200 Improved: Implemented: Documented: Completed: Reverted: Fixed: (OFBIZ-) Explanation Thanks: --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 26 +- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 814031a..f6b7222 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -63,7 +63,6 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; -import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -110,21 +109,28 @@ public final class FreeMarkerWorker { newConfig.setAutoImports(freemarkerImports); } newConfig.setLogTemplateExceptions(false); -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", -"SAFER_RESOLVER"); +newConfig.setTemplateExceptionHandler(new FreeMarkerWorker.OFBizTemplateExceptionHandler()); try { -newConfig.setNewBuiltinClassResolver((TemplateClassResolver) -ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) -.cast(templateClassResolver)); -} catch (ClassNotFoundException e) { -Debug.logError("No TemplateClassResolver." + templateClassResolver, module); -}try { newConfig.setSetting("datetime_format", "-MM-dd HH:mm:ss.SSS"); newConfig.setSetting("number_format", "0.##"); } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } - newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +switch (templateClassResolver) { +case "UNRESTRICTED_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER); +break; +case "SAFER_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +break; +case "ALLOWS_NOTHING_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER); +break; +default: +Debug.logError("Not a TemplateClassResolver.", module); +break; +} // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader(); Enumeration resources;
buildbot success in on ofbizTrunkFramework
The Buildbot has detected a restored build on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/1499 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] f443ace724d83fd34551ff669c8c0da9dd162ad2 Blamelist: James Yong Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new 07f48a3 Improved: Prevent FreeMarker Template Injection (SSTI) 07f48a3 is described below commit 07f48a3334fcd11a1d6c8e3236887dd3b535863c Author: Jacques Le Roux AuthorDate: Mon May 18 14:03:33 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Previous code compiled but the class was not found, better KISS --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 23 +- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 539d423..20765fc 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -64,7 +64,6 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; -import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -118,14 +117,20 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } -String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", -"SAFER_RESOLVER"); -try { -newConfig.setNewBuiltinClassResolver((TemplateClassResolver) -ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) -.cast(templateClassResolver)); -} catch (ClassNotFoundException e) { -Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", "SAFER_RESOLVER"); +switch (templateClassResolver) { +case "UNRESTRICTED_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.UNRESTRICTED_RESOLVER); +break; +case "SAFER_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +break; +case "ALLOWS_NOTHING_RESOLVER": + newConfig.setNewBuiltinClassResolver(TemplateClassResolver.ALLOWS_NOTHING_RESOLVER); +break; +default: +Debug.logError("Not a TemplateClassResolver.", MODULE); +break; } // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader();
buildbot success in on ofbizBranch17Framework
The Buildbot has detected a restored build on builder ofbizBranch17Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch17Framework/builds/455 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch17FrameworkCommit' triggered this build Build Source Stamp: [branch release17.12] c502a978a0138b3cc1906ddd915f0b9f50c3689c Blamelist: Jacques Le Roux Build succeeded! Sincerely, -The Buildbot
[ofbiz-framework] branch trunk updated: Improved: Apply multi-block attr to each application (OFBIZ-11706)
This is an automated email from the ASF dual-hosted git repository. jamesyong pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/trunk by this push: new f443ace Improved: Apply multi-block attr to each application (OFBIZ-11706) f443ace is described below commit f443ace724d83fd34551ff669c8c0da9dd162ad2 Author: James Yong AuthorDate: Mon May 18 20:26:39 2020 +0800 Improved: Apply multi-block attr to each application (OFBIZ-11706) Revert multi-block attr on RemoveInternalOrg.ftl, to fix regression for HR tree. There is no inline script causing CSP issue in the 1st place. Thanks: Olivier for reporting --- applications/humanres/widget/EmplPositionScreens.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/applications/humanres/widget/EmplPositionScreens.xml b/applications/humanres/widget/EmplPositionScreens.xml index 67e440f..b6513b8 100644 --- a/applications/humanres/widget/EmplPositionScreens.xml +++ b/applications/humanres/widget/EmplPositionScreens.xml @@ -332,7 +332,7 @@ - +
buildbot failure in on ofbizTrunkFramework
The Buildbot has detected a new failure on builder ofbizTrunkFramework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizTrunkFramework/builds/1498 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf945_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onTrunkFrameworkCommit' triggered this build Build Source Stamp: [branch trunk] 11905d82f5aa6fb06894e82b1ff83538ee15845d Blamelist: Jacques Le Roux BUILD FAILED: failed shell_2 Sincerely, -The Buildbot
[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new c502a97 Improved: Prevent FreeMarker Template Injection (SSTI) c502a97 is described below commit c502a978a0138b3cc1906ddd915f0b9f50c3689c Author: Jacques Le Roux AuthorDate: Mon May 18 13:48:31 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Fixes all the conflicts previously handled by hand (no merge was possible) --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 230 - 1 file changed, 88 insertions(+), 142 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 9d6c67a..814031a 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -1,4 +1,4 @@ -/* +/*** * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -15,7 +15,7 @@ * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. - */ + ***/ package org.apache.ofbiz.base.util.template; import java.io.File; @@ -23,20 +23,18 @@ import java.io.IOException; import java.io.Writer; import java.net.URL; import java.util.ArrayList; +import java.util.Enumeration; import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; -import java.util.Objects; import java.util.Properties; import java.util.Set; import java.util.TimeZone; -import java.util.stream.Stream; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; -import org.apache.ofbiz.base.component.ComponentConfig; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; @@ -45,7 +43,6 @@ import org.apache.ofbiz.base.util.UtilMisc; import org.apache.ofbiz.base.util.UtilProperties; import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.cache.UtilCache; -import org.apache.ofbiz.widget.model.ModelWidget; import freemarker.cache.MultiTemplateLoader; import freemarker.cache.StringTemplateLoader; @@ -61,6 +58,7 @@ import freemarker.template.SimpleHash; import freemarker.template.SimpleScalar; import freemarker.template.Template; import freemarker.template.TemplateException; +import freemarker.template.TemplateExceptionHandler; import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; @@ -71,28 +69,24 @@ import freemarker.template.utility.ClassUtil; * FreeMarkerWorker - Freemarker Template Engine Utilities. */ public final class FreeMarkerWorker { -/** The template used to retrieved Freemarker transforms from multiple component classpaths. */ -private static final String TRANSFORMS_PROPERTIES = "org/apache/ofbiz/%s/freemarkerTransforms.properties"; -private static final String MODULE = FreeMarkerWorker.class.getName(); +public static final String module = FreeMarkerWorker.class.getName(); -public static final Version VERSION = Configuration.VERSION_2_3_30; +public static final Version version = Configuration.VERSION_2_3_28; -private FreeMarkerWorker() { } +private FreeMarkerWorker () {} -// Use soft references for this so that things from Content records don't kill all of our memory, -// or maybe not for performance reasons... hmmm, leave to config file... -private static final UtilCache CACHED_TEMPLATES = -UtilCache.createUtilCache("template.ftl.general", 0, 0, false); -private static final BeansWrapper DEFAULT_OFBIZ_WRAPPER = new BeansWrapperBuilder(VERSION).build(); -private static final Configuration DEFAULT_OFBIZ_CONFIG = makeConfiguration(DEFAULT_OFBIZ_WRAPPER); +// use soft references for this so that things from Content records don't kill all of our memory, or maybe not for performance reasons... hmmm, leave to config file... +private static final UtilCache cachedTemplates = UtilCache.createUtilCache("template.ftl.general", 0, 0, false); +private static final BeansWrapper defaultOfbizWrapper = new BeansWrapperBuilder(version).build(); +private static final Configuration defaultOfbizConfig =
buildbot exception in on ofbizBranch17Framework
The Buildbot has detected a build exception on builder ofbizBranch17Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch17Framework/builds/454 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf946_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch17FrameworkCommit' triggered this build Build Source Stamp: [branch release17.12] babd23282ee61f1b840899a3785e89da5f202131 Blamelist: Jacques Le Roux BUILD FAILED: exception shell upload Sincerely, -The Buildbot
buildbot exception in on ofbizBranch18Framework
The Buildbot has detected a build exception on builder ofbizBranch18Framework while building ofbiz-framework. Full details are available at: https://ci.apache.org/builders/ofbizBranch18Framework/builds/315 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: asf947_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'onBranch18FrameworkCommit' triggered this build Build Source Stamp: [branch release18.12] b97d6bf1e28c1ffc062af08fc7da2769fc3672d5 Blamelist: Jacques Le Roux BUILD FAILED: exception shell upload Sincerely, -The Buildbot
[ofbiz-framework] branch release17.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release17.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release17.12 by this push: new babd232 Improved: Prevent FreeMarker Template Injection (SSTI) babd232 is described below commit babd23282ee61f1b840899a3785e89da5f202131 Author: Jacques Le Roux AuthorDate: Mon May 18 13:35:02 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Some people may want to use another TemplateClassResolver than SAFER_RESOLVER This creates a new templateClassResolver security property and uses it in FreeMarkerWorker::makeConfiguration by default Conflicts all handled by hand (no merge possible) --- .../ofbiz/base/util/template/FreeMarkerWorker.java | 230 + framework/security/config/security.properties | 7 + 2 files changed, 153 insertions(+), 84 deletions(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 6c45127..9d6c67a 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -1,4 +1,4 @@ -/*** +/* * Licensed to the Apache Software Foundation (ASF) under one * or more contributor license agreements. See the NOTICE file * distributed with this work for additional information @@ -15,7 +15,7 @@ * KIND, either express or implied. See the License for the * specific language governing permissions and limitations * under the License. - ***/ + */ package org.apache.ofbiz.base.util.template; import java.io.File; @@ -23,18 +23,20 @@ import java.io.IOException; import java.io.Writer; import java.net.URL; import java.util.ArrayList; -import java.util.Enumeration; import java.util.HashMap; import java.util.List; import java.util.Locale; import java.util.Map; +import java.util.Objects; import java.util.Properties; import java.util.Set; import java.util.TimeZone; +import java.util.stream.Stream; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; +import org.apache.ofbiz.base.component.ComponentConfig; import org.apache.ofbiz.base.location.FlexibleLocation; import org.apache.ofbiz.base.util.Debug; import org.apache.ofbiz.base.util.StringUtil; @@ -43,6 +45,7 @@ import org.apache.ofbiz.base.util.UtilMisc; import org.apache.ofbiz.base.util.UtilProperties; import org.apache.ofbiz.base.util.UtilValidate; import org.apache.ofbiz.base.util.cache.UtilCache; +import org.apache.ofbiz.widget.model.ModelWidget; import freemarker.cache.MultiTemplateLoader; import freemarker.cache.StringTemplateLoader; @@ -58,34 +61,38 @@ import freemarker.template.SimpleHash; import freemarker.template.SimpleScalar; import freemarker.template.Template; import freemarker.template.TemplateException; -import freemarker.template.TemplateExceptionHandler; import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; +import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. */ public final class FreeMarkerWorker { +/** The template used to retrieved Freemarker transforms from multiple component classpaths. */ +private static final String TRANSFORMS_PROPERTIES = "org/apache/ofbiz/%s/freemarkerTransforms.properties"; -public static final String module = FreeMarkerWorker.class.getName(); +private static final String MODULE = FreeMarkerWorker.class.getName(); -public static final Version version = Configuration.VERSION_2_3_28; +public static final Version VERSION = Configuration.VERSION_2_3_30; -private FreeMarkerWorker () {} +private FreeMarkerWorker() { } -// use soft references for this so that things from Content records don't kill all of our memory, or maybe not for performance reasons... hmmm, leave to config file... -private static final UtilCache cachedTemplates = UtilCache.createUtilCache("template.ftl.general", 0, 0, false); -private static final BeansWrapper defaultOfbizWrapper = new BeansWrapperBuilder(version).build(); -private static final Configuration defaultOfbizConfig = makeConfiguration(defaultOfbizWrapper); +// Use soft references for this so that things from Content records don't kill all of our memory, +// or maybe not for performance reasons... hmmm, leave to config file... +private static final UtilCache
[ofbiz-framework] branch release18.12 updated: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch release18.12 in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git The following commit(s) were added to refs/heads/release18.12 by this push: new b97d6bf Improved: Prevent FreeMarker Template Injection (SSTI) b97d6bf is described below commit b97d6bf1e28c1ffc062af08fc7da2769fc3672d5 Author: Jacques Le Roux AuthorDate: Mon May 18 12:06:28 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Some people may want to use another TemplateClassResolver than SAFER_RESOLVER This creates a new templateClassResolver security property and uses it in FreeMarkerWorker::makeConfiguration by default Conflicts handled by hand framework/security/config/security.properties --- .../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++- framework/security/config/security.properties | 7 +++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index fa368a1..539d423 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -64,6 +64,7 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; +import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -117,7 +118,15 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, module); } - newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); +try { +newConfig.setNewBuiltinClassResolver((TemplateClassResolver) +ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) +.cast(templateClassResolver)); +} catch (ClassNotFoundException e) { +Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE); +} // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader(); Enumeration resources; diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index f5d3120..fa64fa5 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -159,3 +159,10 @@ host-headers-allowed=localhost,127.0.0.1,demo-trunk.ofbiz.apache.org,demo-stable # -- By default the SameSite value in SameSiteFilter is strict. This allows to change it to lax if needed SameSiteCookieAttribute= +# -- Freemarker TemplateClassResolver option, see OFBIZ-11709. +# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes +# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime. +# -- If you need to use one to these classes you need to change the TemplateClassResolver +# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read +# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security +templateClassResolver=
[ofbiz-framework] branch trunk updated (e3e12ee -> 11905d8)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a change to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git. from e3e12ee Improved: No need to specify externalKeyParam in ofbizUrl calls (OFBIZ-11711) new a6e8b05 Improved: Prevent FreeMarker Template Injection (SSTI) new 11905d8 Improved: Convert deactivateAllContentRoles service from mini-lang to groovy DSL The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .../groovyScripts/content/ContentServices.groovy | 20 +++- .../content/minilang/content/ContentServices.xml | 13 - applications/content/servicedef/services_content.xml | 4 ++-- .../ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++- framework/security/config/security.properties| 9 + 5 files changed, 40 insertions(+), 17 deletions(-)
[ofbiz-framework] 01/02: Improved: Prevent FreeMarker Template Injection (SSTI)
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit a6e8b05135f07a6c6aa383e0d0bd4226a46f9c7e Author: Jacques Le Roux AuthorDate: Mon May 18 12:06:28 2020 +0200 Improved: Prevent FreeMarker Template Injection (SSTI) (OFBIZ-11709) Some people may want to use another TemplateClassResolver than SAFER_RESOLVER This creates a new templateClassResolver security property and uses it in FreeMarkerWorker::makeConfiguration by default --- .../org/apache/ofbiz/base/util/template/FreeMarkerWorker.java | 11 ++- framework/security/config/security.properties | 9 + 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java index 6cae5aa..56b2eee 100644 --- a/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java +++ b/framework/base/src/main/java/org/apache/ofbiz/base/util/template/FreeMarkerWorker.java @@ -65,6 +65,7 @@ import freemarker.template.TemplateHashModel; import freemarker.template.TemplateModel; import freemarker.template.TemplateModelException; import freemarker.template.Version; +import freemarker.template.utility.ClassUtil; /** * FreeMarkerWorker - Freemarker Template Engine Utilities. @@ -126,7 +127,15 @@ public final class FreeMarkerWorker { } catch (TemplateException e) { Debug.logError("Unable to set date/time and number formats in FreeMarker: " + e, MODULE); } - newConfig.setNewBuiltinClassResolver(TemplateClassResolver.SAFER_RESOLVER); +String templateClassResolver = UtilProperties.getPropertyValue("security", "templateClassResolver", +"SAFER_RESOLVER"); +try { +newConfig.setNewBuiltinClassResolver((TemplateClassResolver) +ClassUtil.forName("freemarker.core.TemplateClassResolver" + templateClassResolver) +.cast(templateClassResolver)); +} catch (ClassNotFoundException e) { +Debug.logError("No TemplateClassResolver." + templateClassResolver, MODULE); +} // Transforms properties file set up as key=transform name, property=transform class name ClassLoader loader = Thread.currentThread().getContextClassLoader(); transformsURL(loader).forEach(url -> { diff --git a/framework/security/config/security.properties b/framework/security/config/security.properties index 52fbf08..d3b32d2 100644 --- a/framework/security/config/security.properties +++ b/framework/security/config/security.properties @@ -185,3 +185,12 @@ csrf.entity.request.limit= # -- Use org.apache.ofbiz.security.CsrfDefenseStrategy # -- if you need to use a 'lax' for SameSiteCookieAttribute csrf.defense.strategy= + + +# -- Freemarker TemplateClassResolver option, see OFBIZ-11709. +# -- By default OFBiz uses the SAFER_RESOLVER because OOTB it does not use any of the Freemarker classes +# -- that SAFER_RESOLVER prevents: ObjectConstructor, Execute and JythonRuntime. +# -- If you need to use one to these classes you need to change the TemplateClassResolver +# -- to UNRESTRICTED_RESOLVER and look at MemberAccessPolicy. In any cases better read +# -- https://freemarker.apache.org/docs/app_faq.html#faq_template_uploading_security +templateClassResolver=
[ofbiz-framework] 02/02: Improved: Convert deactivateAllContentRoles service from mini-lang to groovy DSL
This is an automated email from the ASF dual-hosted git repository. jleroux pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git commit 11905d82f5aa6fb06894e82b1ff83538ee15845d Author: Jacques Le Roux AuthorDate: Mon May 18 13:25:35 2020 +0200 Improved: Convert deactivateAllContentRoles service from mini-lang to groovy DSL (OFBIZ-11366) jleroux: I had to slightly rewrite the patch, mostly the Groovy part (see comment in Jira) Thanks: Devanshu Vyas for the initial patch --- .../groovyScripts/content/ContentServices.groovy | 20 +++- .../content/minilang/content/ContentServices.xml | 13 - applications/content/servicedef/services_content.xml | 4 ++-- 3 files changed, 21 insertions(+), 16 deletions(-) diff --git a/applications/content/groovyScripts/content/ContentServices.groovy b/applications/content/groovyScripts/content/ContentServices.groovy index d860b19..4ecc039 100644 --- a/applications/content/groovyScripts/content/ContentServices.groovy +++ b/applications/content/groovyScripts/content/ContentServices.groovy @@ -17,14 +17,19 @@ * under the License. */ -import org.apache.ofbiz.base.util.Debug +import java.sql.Timestamp + import org.apache.ofbiz.common.UrlServletHelper import org.apache.ofbiz.entity.condition.EntityCondition import org.apache.ofbiz.entity.condition.EntityOperator +import org.apache.ofbiz.entity.GenericValue import org.apache.ofbiz.entity.util.EntityListIterator import org.apache.ofbiz.service.GenericServiceException; + import org.apache.ofbiz.service.ModelService import org.apache.ofbiz.service.ServiceUtil +import org.apache.ofbiz.base.util.Debug +import org.apache.ofbiz.base.util.UtilDateTime MODULE = "ContentServices.groovy" def createTextAndUploadedContent(){ @@ -48,6 +53,19 @@ def createTextAndUploadedContent(){ return result } +def deactivateAllContentRoles() { +List contentRoles = from("ContentRole"). +where("contentId", parameters.contentId, "partyId", parameters.partyId, "roleTypeId", parameters.roleTypeId) +.queryList(); +if (contentRoles) { +for (GenericValue contentRole : contentRoles) { +contentRole.put("thruDate", UtilDateTime.nowTimestamp()); +contentRole.store(); +} +} +return success() +} + def createContentAlternativeUrl() { //create Content Alternative URLs. String contentCreated diff --git a/applications/content/minilang/content/ContentServices.xml b/applications/content/minilang/content/ContentServices.xml index 696d7ee..b8e451b 100644 --- a/applications/content/minilang/content/ContentServices.xml +++ b/applications/content/minilang/content/ContentServices.xml @@ -164,19 +164,6 @@ - - - - - - - - - - - - - diff --git a/applications/content/servicedef/services_content.xml b/applications/content/servicedef/services_content.xml index 87be490..ee931fa 100644 --- a/applications/content/servicedef/services_content.xml +++ b/applications/content/servicedef/services_content.xml @@ -319,8 +319,8 @@ - + Deactivate all ContentRoles