ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (Jira)" <j...@apache.org>
Subject [jira] [Commented] (OFBIZ-11349) The "stream" request-map in ecommerce and commonext controllers requires authentication
Date Wed, 19 Feb 2020 13:05:00 GMT

    [ https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039999#comment-17039999
] 

ASF subversion and git services commented on OFBIZ-11349:
---------------------------------------------------------

Commit 90b2d6c9bff50bf9796ffd6e09fe31bcb51f7c33 in ofbiz-plugins's branch refs/heads/release18.12
from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=90b2d6c ]

Fixed: The "stream" request-map in ecommerce and commonext controllers
requires authentication
(OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"
request-map in commonext controller. And Jacopo to suggest to require
authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in
place, all XSS vulnerabilities w/o authentication will not longer be possible.
Because then all requests shall contains a CSRF token.


> The "stream" request-map in ecommerce and commonext controllers requires authentication
> ---------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-11349
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11349
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12
>            Reporter: Jacques Le Roux
>            Priority: Major
>
> For security reason, the "stream" request-map 
> # in ecommerce controller have been temporarily commented out. 
> # in commonext controller has been changed to require authentication.
> We will need to 
> # put back the functionnalities allowed by the "stream" request-map in ecommerce . 
> # later check that mandatory authentication in commonext controller no impact.
> *Eventually it turned out that we simply needed to require authentication in both cases
(back and front ends). Because in ecommerce/ecomseo webapps the stream request is only used
to post images in blog entries an you need to be logged in to do so.*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message