[jira] [Commented] (OFBIZ-13130) [CVE-2024-45195] Add permission check for view-maps and change defaults for request-maps

2024-11-21 Thread Jacques Le Roux (Jira)


[ 
https://issues.apache.org/jira/browse/OFBIZ-13130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899971#comment-17899971
 ] 

Jacques Le Roux commented on OFBIZ-13130:
-

I have checked using  
https://www.utilities-online.info/xsdvalidation
and
https://www.liquid-technologies.com/online-xsd-validator

Both validate, the error must come from Eclipse, forget it.


> [CVE-2024-45195] Add permission check for view-maps and change defaults for 
> request-maps
> 
>
> Key: OFBIZ-13130
> URL: https://issues.apache.org/jira/browse/OFBIZ-13130
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS, ALL COMPONENTS, ALL PLUGINS
>Affects Versions: 18.12.15
>Reporter: Sebastian Tschikin
>Assignee: Sebastian Tschikin
>Priority: Major
> Fix For: 18.12.16
>
>
> If a user is not authorized, the system should not allow access to rendered 
> views.
> Additionally, the default for the request-map paramerters "auth" and "https" 
> should be set to "true".
> This improvement aims to enhance security by preventing unauthorized access.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (OFBIZ-13130) [CVE-2024-45195] Add permission check for view-maps and change defaults for request-maps

2024-11-05 Thread Jacques Le Roux (Jira)


[ 
https://issues.apache.org/jira/browse/OFBIZ-13130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895565#comment-17895565
 ] 

Jacques Le Roux commented on OFBIZ-13130:
-

Hi Sebastian,

Sorry to bother you. I stumbled upon a weird issue in Eclipse while browsing a 
controller file with "auth=" in (e.g. common-controller.xml)

While over "auth=", it says: 
bq. cvc-complex-type.3.2.2: Attribute 'auth' is not allowed to appear in 
element 'view-map'.

I checked all is correct in site-conf.xsd and it's present at 
https://ofbiz.apache.org/dtds/site-conf.xsd
It's not a big deal but I really wonder why this happens.



> [CVE-2024-45195] Add permission check for view-maps and change defaults for 
> request-maps
> 
>
> Key: OFBIZ-13130
> URL: https://issues.apache.org/jira/browse/OFBIZ-13130
> Project: OFBiz
>  Issue Type: Sub-task
>  Components: ALL APPLICATIONS, ALL COMPONENTS, ALL PLUGINS
>Affects Versions: 18.12.15
>Reporter: Sebastian Tschikin
>Assignee: Sebastian Tschikin
>Priority: Major
> Fix For: 18.12.16
>
>
> If a user is not authorized, the system should not allow access to rendered 
> views.
> Additionally, the default for the request-map paramerters "auth" and "https" 
> should be set to "true".
> This improvement aims to enhance security by preventing unauthorized access.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)