Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)

JacquesLeRoux · JacquesLeRoux · commit a3438121d8f5 · 2021-03-29T13:29:58.000+02:00
The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past. Of cause it must be clearly documented how to use them if needed. Here is the email content: After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. [1] OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " I just put a small comment in webtools and scrumm controllers, it should be enough. The tests pass
diff --git a/ecommerce/webapp/ecommerce/WEB-INF/controller.xml b/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
@@ -26,7 +26,7 @@ under the License.
 
     <handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
     <handler name="groovy" type="request" class="org.apache.ofbiz.webapp.event.GroovyEventHandler"/>
-    <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/>
+    <!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
     <handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
     <handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
     <handler name="simple" type="request" class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/>
@@ -136,7 +136,7 @@ under the License.
     <request-map uri="setSessionLocale">
         <security https="false" auth="false"/>
         <event type="java" path="org.apache.ofbiz.common.CommonEvents" invoke="setSessionLocale"/>
-        <response name="success" type="request-redirect" value="fromSetSessionLocale"/>        
+        <response name="success" type="request-redirect" value="fromSetSessionLocale"/>
         <response name="error" type="view" value="main"/>
     </request-map>
 
diff --git a/scrum/servicedef/services.xml b/scrum/servicedef/services.xml
@@ -221,14 +221,14 @@ under the License.
     <service name="checkSprintStatus" engine="simple" auth="true"
         location="component://scrum/minilang/ScrumServices.xml" invoke="checkSprintStatus">
     </service>
-    <service name="checkScrumPlanHour" engine="simple" auth="true" 
+    <service name="checkScrumPlanHour" engine="simple" auth="true"
         location="component://scrum/minilang/ScrumServices.xml" invoke="checkScrumPlanHour">
         <attribute name="workEffortId" type="String" mode="IN" optional="true"/>
         <attribute name="custRequestId" type="String" mode="IN" optional="true"/>
         <attribute name="planHours" type="Double" mode="IN" optional="true"/>
         <attribute name="allow" type="Boolean" mode="OUT" optional="false"/>
     </service>
-    <service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true" 
+    <service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
         location="component://scrum/minilang/ScrumServices.xml" invoke="reOrderProductBacklogItemSequenceNumber">
         <attribute name="productId" type="String" mode="IN" optional="false"/>
     </service>
@@ -245,10 +245,11 @@ under the License.
         <attribute name="custRequestStatusId" mode="IN" type="String" optional="true"/>
         <attribute name="webSiteId" mode="IN" type="String" optional="true"/><!-- for notification services -->
     </service>
-    <service name="updateScrumRevision" engine="soap" export="true"
+    <!-- The service below has been commented out for security reason, see OFBIZ-12212 -->
+    <!-- <service name="updateScrumRevision" engine="soap" export="true"
         location="http://www.example.com/webtools/control/SOAPService" invoke="updateScrumRevisionChange">
         <implements service="updateScrumRevisionChange"/>
-    </service>
+    </service> -->
     <service name="updateScrumRevisionChange" engine="simple" export="true" validate="false" require-new-transaction="true"
             location="component://scrum/minilang/ScrumServices.xml" invoke="updateScrumRevisionChange">
         <description>Update Scrum Revision Change</description>
@@ -281,7 +282,7 @@ under the License.
     
     <service name="linkToProduct" engine="java" auth="true"
         location="org.apache.ofbiz.scrum.ScrumServices" invoke="linkToProduct">
-        <description>check when a comunication event is created if the subject contains the PD# string, if so 
+        <description>check when a comunication event is created if the subject contains the PD# string, if so
                 try to find the customer request and link it to the communication event..
         </description>
         <attribute name="communicationEventId" type="String" mode="IN" optional="false"/>
