[jira] [Commented] (OFBIZ-13130) [CVE-2024-45195] Add permission check for view-maps and change defaults for request-maps
[ https://issues.apache.org/jira/browse/OFBIZ-13130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17899971#comment-17899971 ] Jacques Le Roux commented on OFBIZ-13130: - I have checked using https://www.utilities-online.info/xsdvalidation and https://www.liquid-technologies.com/online-xsd-validator Both validate, the error must come from Eclipse, forget it. > [CVE-2024-45195] Add permission check for view-maps and change defaults for > request-maps > > > Key: OFBIZ-13130 > URL: https://issues.apache.org/jira/browse/OFBIZ-13130 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS, ALL COMPONENTS, ALL PLUGINS >Affects Versions: 18.12.15 >Reporter: Sebastian Tschikin >Assignee: Sebastian Tschikin >Priority: Major > Fix For: 18.12.16 > > > If a user is not authorized, the system should not allow access to rendered > views. > Additionally, the default for the request-map paramerters "auth" and "https" > should be set to "true". > This improvement aims to enhance security by preventing unauthorized access. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (OFBIZ-13130) [CVE-2024-45195] Add permission check for view-maps and change defaults for request-maps
[ https://issues.apache.org/jira/browse/OFBIZ-13130?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895565#comment-17895565 ] Jacques Le Roux commented on OFBIZ-13130: - Hi Sebastian, Sorry to bother you. I stumbled upon a weird issue in Eclipse while browsing a controller file with "auth=" in (e.g. common-controller.xml) While over "auth=", it says: bq. cvc-complex-type.3.2.2: Attribute 'auth' is not allowed to appear in element 'view-map'. I checked all is correct in site-conf.xsd and it's present at https://ofbiz.apache.org/dtds/site-conf.xsd It's not a big deal but I really wonder why this happens. > [CVE-2024-45195] Add permission check for view-maps and change defaults for > request-maps > > > Key: OFBIZ-13130 > URL: https://issues.apache.org/jira/browse/OFBIZ-13130 > Project: OFBiz > Issue Type: Sub-task > Components: ALL APPLICATIONS, ALL COMPONENTS, ALL PLUGINS >Affects Versions: 18.12.15 >Reporter: Sebastian Tschikin >Assignee: Sebastian Tschikin >Priority: Major > Fix For: 18.12.16 > > > If a user is not authorized, the system should not allow access to rendered > views. > Additionally, the default for the request-map paramerters "auth" and "https" > should be set to "true". > This improvement aims to enhance security by preventing unauthorized access. -- This message was sent by Atlassian Jira (v8.20.10#820010)