ofbiz-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jler...@apache.org
Subject svn commit: r1845421 - in /ofbiz/ofbiz-framework/branches/release17.12: ./ applications/content/src/main/java/org/apache/ofbiz/content/cms/CmsEvents.java
Date Thu, 01 Nov 2018 09:40:01 GMT
Author: jleroux
Date: Thu Nov  1 09:40:01 2018
New Revision: 1845421

URL: http://svn.apache.org/viewvc?rev=1845421&view=rev
Log:
"Applied fix from trunk for revision: 1845420" 
------------------------------------------------------------------------
r1845420 | jleroux | 2018-11-01 10:39:17 +0100 (jeu. 01 nov. 2018) | 20 lignes

Fixed: Missing Security and Cache Headers in CMS Events
Fixed:
(OFBIZ-10597)

While rendering the view through the controller request we set the important 
security headers like x-frame-options, strict-transport-security, 
x-content-type-options, X-XSS-Protection and Referrer-Policy etc. in the 
response object. (Please see the 'rendervView' method of RequestHandler class.) 
 
In the similar line, we set the cache related headers like Expires, 
Last-Modified, Cache-Control, Pragma.
 
But these security headers are missing in the pages rendered through CMS. 
(Please visit the CmsEvents class).
 
These headers are very crucial for the security of the application as they help 
to prevent various security threats like cross-site scripting, 
cross-site request forgery, clickjacking etc. 

Thanks: Deepak Nigam for initial patch and review
------------------------------------------------------------------------

Modified:
    ofbiz/ofbiz-framework/branches/release17.12/   (props changed)
    ofbiz/ofbiz-framework/branches/release17.12/applications/content/src/main/java/org/apache/ofbiz/content/cms/CmsEvents.java

Propchange: ofbiz/ofbiz-framework/branches/release17.12/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Thu Nov  1 09:40:01 2018
@@ -10,4 +10,4 @@
 /ofbiz/branches/json-integration-refactoring:1634077-1635900
 /ofbiz/branches/multitenant20100310:921280-927264
 /ofbiz/branches/release13.07:1547657
-/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418
+/ofbiz/ofbiz-framework/trunk:1819499,1819598,1819800,1819805,1819811,1820038,1820262,1820374-1820375,1820441,1820457,1820644,1820658,1820790,1820823,1820949,1820966,1821012,1821036,1821112,1821115,1821144,1821186,1821219,1821226,1821230,1821386,1821613,1821628,1821965,1822125,1822310,1822377,1822383,1822393,1823467,1823562,1823876,1824314,1824316,1824732,1824803,1824847,1824855,1825192,1825211,1825216,1825233,1825450,1826374,1826502,1826592,1826671,1826674,1826805,1826938,1826997,1827439,1828255,1828316,1828346,1828424,1828512,1828514,1829690,1830936,1831074,1831078,1831234,1831608,1831831,1832577,1832662,1832756,1832800,1832944,1833173,1833211,1834181,1834191,1834736,1835235,1835887,1835891,1835953,1835964,1836144,1836871,1837857,1838032,1838256,1838381,1840189,1840199,1840828,1841657,1841662,1842372,1842921,1843225,1843893,1844943,1845418,1845420

Modified: ofbiz/ofbiz-framework/branches/release17.12/applications/content/src/main/java/org/apache/ofbiz/content/cms/CmsEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/branches/release17.12/applications/content/src/main/java/org/apache/ofbiz/content/cms/CmsEvents.java?rev=1845421&r1=1845420&r2=1845421&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/branches/release17.12/applications/content/src/main/java/org/apache/ofbiz/content/cms/CmsEvents.java
(original)
+++ ofbiz/ofbiz-framework/branches/release17.12/applications/content/src/main/java/org/apache/ofbiz/content/cms/CmsEvents.java
Thu Nov  1 09:40:01 2018
@@ -288,6 +288,11 @@ public class CmsEvents {
                 RequestHandler rh = (RequestHandler) ctx.getAttribute("_REQUEST_HANDLER_");
                 templateMap.put("_REQUEST_HANDLER_", rh);
 
+                //Cache Headers
+                UtilHttp.setResponseBrowserProxyNoCache(response);
+                //Security Headers
+                UtilHttp.setResponseBrowserDefaultSecurityHeaders(response, null);
+
                 response.setStatus(statusCode);
 
                 try {



Mime
View raw message