This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release24.09
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release24.09 by this push:
new 1c714fd8c8 Improved: Comment out the SOAP and HTTP engines
(OFBIZ-12212)
1c714fd8c8 is described below
commit 1c714fd8c89e83437748140342e68e664f48cc15
Author: Jacques Le Roux <[email protected]>
AuthorDate: Sat Jan 31 16:43:18 2026 +0100
Improved: Comment out the SOAP and HTTP engines (OFBIZ-12212)
The SOAP and HTTP engines are open doors to security issues.
At https://markmail.org/message/pgtjyh23bazq4s2w I proposed to comment them
out
as we did for RMI in the past.
---
framework/common/webcommon/WEB-INF/handlers-controller.xml | 5 ++++-
framework/webtools/webapp/webtools/WEB-INF/controller.xml | 2 ++
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/framework/common/webcommon/WEB-INF/handlers-controller.xml
b/framework/common/webcommon/WEB-INF/handlers-controller.xml
index a0ed915baa..b1de710c83 100644
--- a/framework/common/webcommon/WEB-INF/handlers-controller.xml
+++ b/framework/common/webcommon/WEB-INF/handlers-controller.xml
@@ -24,7 +24,10 @@ under the License.
<!-- event handlers -->
<handler name="java" type="request"
class="org.apache.ofbiz.webapp.event.JavaEventHandler"/>
- <!-- <handler name="soap" type="request"
class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
+ <!-- The service below have been commented out for security reason, see
OFBIZ-12212 -->
+ <!-- If you feel it's ok with you (e.g. totally secured Internet access,
or rather
+ no access at all which is safer!) you may uncomment and use. -->
+ <!-- <handler name="soap" type="request"
class="org.apache.ofbiz.webapp.event.SOAPEventHandler"/> -->
<handler name="service" type="request"
class="org.apache.ofbiz.webapp.event.ServiceEventHandler"/>
<handler name="service-multi" type="request"
class="org.apache.ofbiz.webapp.event.ServiceMultiEventHandler"/>
<handler name="simple" type="request"
class="org.apache.ofbiz.webapp.event.SimpleEventHandler"/>
diff --git a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
index 043048466f..d40d30e324 100644
--- a/framework/webtools/webapp/webtools/WEB-INF/controller.xml
+++ b/framework/webtools/webapp/webtools/WEB-INF/controller.xml
@@ -87,6 +87,8 @@ under the License.
<!-- Begin Utility Requests -->
<!-- The 2 services below have been commented out for security reason, see
OFBIZ-12212 -->
+ <!-- If you feel it's ok with you (e.g. totally secured Internet access,
or rather
+ no access at all which is safer!) you may uncomment and use. -->
<!-- <request-map uri="httpService">
<event type="java" path="org.apache.ofbiz.service.engine.HttpEngine"
invoke="httpEngine"/>
<response name="success" type="none"/>
