Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past. Of cause it must be clearly documented how to use them if needed. Here is the email content: After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. [1] OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " I just put a small comment in webtools and scrumm controllers, it should be enough. The tests pass
- Loading branch information
1 parent
57d2442
commit a343812
Showing
2 changed files
with
8 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters