Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out
as we did for RMI in the past.
Of cause it must be clearly documented how to use them if needed.

Here is the email content:

    After the recent fix for the CVE-2021-26295[1] we discussed with the security
    team about the opportunity need to comment out the SOAP and HTTP engines
    like we did in the past for RMI[2], this obviously for security reason.

    [1] OFBIZ-12167 "Adds a blacklist (to be
    renamed soon to denylist) in Java serialisation (CVE-2021-26295)"
    [2] OFBIZ-6942 "Comment out RMI related
    code because of the Java deserialization issue [CVE-2016-2170] "

I just put a small comment in webtools and scrumm controllers, it should be
enough.

The tests pass
  • Loading branch information
JacquesLeRoux committed Mar 29, 2021
1 parent 57d2442 commit a343812
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 7 deletions.
4 changes: 2 additions & 2 deletions ecommerce/webapp/ecommerce/WEB-INF/controller.xml
Expand Up @@ -26,7 +26,7 @@ under the License.

<handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
<handler name="groovy" type="request" class="org.apache.ofbiz.webapp.event.GroovyEventHandler"/>
<handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/>
<!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
<handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
<handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
<handler name="simple" type="request" class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/>
Expand Down Expand Up @@ -136,7 +136,7 @@ under the License.
<request-map uri="setSessionLocale">
<security https="false" auth="false"/>
<event type="java" path="org.apache.ofbiz.common.CommonEvents" invoke="setSessionLocale"/>
<response name="success" type="request-redirect" value="fromSetSessionLocale"/>
<response name="success" type="request-redirect" value="fromSetSessionLocale"/>
<response name="error" type="view" value="main"/>
</request-map>

Expand Down
11 changes: 6 additions & 5 deletions scrum/servicedef/services.xml
Expand Up @@ -221,14 +221,14 @@ under the License.
<service name="checkSprintStatus" engine="simple" auth="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="checkSprintStatus">
</service>
<service name="checkScrumPlanHour" engine="simple" auth="true"
<service name="checkScrumPlanHour" engine="simple" auth="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="checkScrumPlanHour">
<attribute name="workEffortId" type="String" mode="IN" optional="true"/>
<attribute name="custRequestId" type="String" mode="IN" optional="true"/>
<attribute name="planHours" type="Double" mode="IN" optional="true"/>
<attribute name="allow" type="Boolean" mode="OUT" optional="false"/>
</service>
<service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
<service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="reOrderProductBacklogItemSequenceNumber">
<attribute name="productId" type="String" mode="IN" optional="false"/>
</service>
Expand All @@ -245,10 +245,11 @@ under the License.
<attribute name="custRequestStatusId" mode="IN" type="String" optional="true"/>
<attribute name="webSiteId" mode="IN" type="String" optional="true"/><!-- for notification services -->
</service>
<service name="updateScrumRevision" engine="soap" export="true"
<!-- The service below has been commented out for security reason, see OFBIZ-12212 -->
<!-- <service name="updateScrumRevision" engine="soap" export="true"
location="http://www.example.com/webtools/control/SOAPService" invoke="updateScrumRevisionChange">
<implements service="updateScrumRevisionChange"/>
</service>
</service> -->
<service name="updateScrumRevisionChange" engine="simple" export="true" validate="false" require-new-transaction="true"
location="component://scrum/minilang/ScrumServices.xml" invoke="updateScrumRevisionChange">
<description>Update Scrum Revision Change</description>
Expand Down Expand Up @@ -281,7 +282,7 @@ under the License.

<service name="linkToProduct" engine="java" auth="true"
location="org.apache.ofbiz.scrum.ScrumServices" invoke="linkToProduct">
<description>check when a comunication event is created if the subject contains the PD# string, if so
<description>check when a comunication event is created if the subject contains the PD# string, if so
try to find the customer request and link it to the communication event..
</description>
<attribute name="communicationEventId" type="String" mode="IN" optional="false"/>
Expand Down

0 comments on commit a343812

Please sign in to comment.