Skip to content

Commit a343812

Browse files
committed
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues. At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them out as we did for RMI in the past. Of cause it must be clearly documented how to use them if needed. Here is the email content: After the recent fix for the CVE-2021-26295[1] we discussed with the security team about the opportunity need to comment out the SOAP and HTTP engines like we did in the past for RMI[2], this obviously for security reason. [1] OFBIZ-12167 "Adds a blacklist (to be renamed soon to denylist) in Java serialisation (CVE-2021-26295)" [2] OFBIZ-6942 "Comment out RMI related code because of the Java deserialization issue [CVE-2016-2170] " I just put a small comment in webtools and scrumm controllers, it should be enough. The tests pass
1 parent 57d2442 commit a343812

File tree

2 files changed

+8
-7
lines changed

2 files changed

+8
-7
lines changed

ecommerce/webapp/ecommerce/WEB-INF/controller.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ under the License.
2626

2727
<handler name="java" type="request" class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
2828
<handler name="groovy" type="request" class="org.apache.ofbiz.webapp.event.GroovyEventHandler"/>
29-
<handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/>
29+
<!-- <handler name="soap" type="request" class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
3030
<handler name="service" type="request" class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
3131
<handler name="service-multi" type="request" class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
3232
<handler name="simple" type="request" class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/>
@@ -136,7 +136,7 @@ under the License.
136136
<request-map uri="setSessionLocale">
137137
<security https="false" auth="false"/>
138138
<event type="java" path="org.apache.ofbiz.common.CommonEvents" invoke="setSessionLocale"/>
139-
<response name="success" type="request-redirect" value="fromSetSessionLocale"/>
139+
<response name="success" type="request-redirect" value="fromSetSessionLocale"/>
140140
<response name="error" type="view" value="main"/>
141141
</request-map>
142142

scrum/servicedef/services.xml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -221,14 +221,14 @@ under the License.
221221
<service name="checkSprintStatus" engine="simple" auth="true"
222222
location="component://scrum/minilang/ScrumServices.xml" invoke="checkSprintStatus">
223223
</service>
224-
<service name="checkScrumPlanHour" engine="simple" auth="true"
224+
<service name="checkScrumPlanHour" engine="simple" auth="true"
225225
location="component://scrum/minilang/ScrumServices.xml" invoke="checkScrumPlanHour">
226226
<attribute name="workEffortId" type="String" mode="IN" optional="true"/>
227227
<attribute name="custRequestId" type="String" mode="IN" optional="true"/>
228228
<attribute name="planHours" type="Double" mode="IN" optional="true"/>
229229
<attribute name="allow" type="Boolean" mode="OUT" optional="false"/>
230230
</service>
231-
<service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
231+
<service name="reOrderProductBacklogItemSequenceNumber" engine="simple" auth="true"
232232
location="component://scrum/minilang/ScrumServices.xml" invoke="reOrderProductBacklogItemSequenceNumber">
233233
<attribute name="productId" type="String" mode="IN" optional="false"/>
234234
</service>
@@ -245,10 +245,11 @@ under the License.
245245
<attribute name="custRequestStatusId" mode="IN" type="String" optional="true"/>
246246
<attribute name="webSiteId" mode="IN" type="String" optional="true"/><!-- for notification services -->
247247
</service>
248-
<service name="updateScrumRevision" engine="soap" export="true"
248+
<!-- The service below has been commented out for security reason, see OFBIZ-12212 -->
249+
<!-- <service name="updateScrumRevision" engine="soap" export="true"
249250
location="http://www.example.com/webtools/control/SOAPService" invoke="updateScrumRevisionChange">
250251
<implements service="updateScrumRevisionChange"/>
251-
</service>
252+
</service> -->
252253
<service name="updateScrumRevisionChange" engine="simple" export="true" validate="false" require-new-transaction="true"
253254
location="component://scrum/minilang/ScrumServices.xml" invoke="updateScrumRevisionChange">
254255
<description>Update Scrum Revision Change</description>
@@ -281,7 +282,7 @@ under the License.
281282

282283
<service name="linkToProduct" engine="java" auth="true"
283284
location="org.apache.ofbiz.scrum.ScrumServices" invoke="linkToProduct">
284-
<description>check when a comunication event is created if the subject contains the PD# string, if so
285+
<description>check when a comunication event is created if the subject contains the PD# string, if so
285286
try to find the customer request and link it to the communication event..
286287
</description>
287288
<attribute name="communicationEventId" type="String" mode="IN" optional="false"/>

0 commit comments

Comments
 (0)