[jira] [Commented] (OFBIZ-11349) The "stream" request-map in ecommerce and commonext controllers requires authentication

Wed, 19 Feb 2020 04:51:10 -0800 


    [ 
https://issues.apache.org/jira/browse/OFBIZ-11349?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17039986#comment-17039986
 ] 

ASF subversion and git services commented on OFBIZ-11349:
---------------------------------------------------------

Commit 01bd096dc6b75827015452c6031770858b1b8511 in ofbiz-framework's branch 
refs/heads/trunk from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=01bd096 ]

Fixed: The "stream" request-map in ecommerce and commonext controllers
requires authentication
(OFBIZ-11349)

Thanks: Michael for reporting a possible issue when only commenting the "stream"
request-map in commonext controller. And Jacopo to suggest to require
authentication (after suggesting to comment out)

It should be also noted that when the CSRF defense implementation will be in
place, all XSS vulnerabilities w/o authentication will not longer be possible.
Because then all requests shall contains a CSRF token.


> The "stream" request-map in ecommerce and commonext controllers requires 
> authentication
> ---------------------------------------------------------------------------------------
>
>                 Key: OFBIZ-11349
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-11349
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ecommerce
>    Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12
>            Reporter: Jacques Le Roux
>            Priority: Major
>
> For security reason, the "stream" request-map 
> # in ecommerce controller have been temporarily commented out. 
> # in commonext controller has been changed to require authentication.
> We will need to 
> # put back the functionnalities allowed by the "stream" request-map in 
> ecommerce . 
> # later check that mandatory authentication in commonext controller no impact.
> *Eventually it turned out that we simply needed to require authentication in 
> both cases (back and front ends). Because in ecommerce/ecomseo webapps the 
> stream request is only used to post images in blog entries an you need to be 
> logged in to do so.*



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to