Re: svn commit: r1705331 [1/2] - in /ofbiz/branches/release14.12: ./ applications/accounting/webapp/accounting/reports/ applications/content/src/org/ofbiz/content/content/ applications/order/src/org/o
Hi Jacques, ecommerce is broken, I think you missed some groovy file where description, name is used directly. like categoryDescription = categoryContentWrapper.DESCRIPTION; I am getting following error while accession ecommerce on updated local box: {code} [java] Caused by: java.lang.IllegalArgumentException: Error running script at location [component://order/webapp/ordermgr/WEB-INF/actions/entry/catalog/Category.groovy]: groovy.lang.MissingPropertyException: No such property: DESCRIPTION for class: org.ofbiz.product.category.CategoryContentWrapper {code} Thanks & Regards — Deepak Dixit > On Sep 25, 2015, at 10:14 PM, Jacques Le Roux> wrote: > > I did not backport to older releases because of too much conflicts, anyway > it's a low vulnerability > > Jacqued > > > Le 25/09/2015 18:34, jler...@apache.org a écrit : >> Author: jleroux >> Date: Fri Sep 25 16:34:34 2015 >> New Revision: 1705331 >> >> URL: http://svn.apache.org/viewvc?rev=1705331=rev >> Log: >> "Applied fix from trunk for revision: 1705329 " (conflicts handled by hand) >> >> r1705329 | jleroux | 2015-09-25 18:27:12 +0200 (ven. 25 sept. 2015) | 20 >> lignes >> >> I found a possible XSS attack through >> ProductContentWrapper.java.getProductContentAsText() which is notably used >> in several FTL files. This exists also in others *ContentWrapper.java. >> Note that in supported releases it's hard to exploit, it's a Stored XSS >> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means >> you need 1st to somehow inject exploiting code in the DB. >> >> This fixes it by changing the ContentWrapper interface >> from >> public interface ContentWrapper { >> public StringUtil.StringWrapper get(String contentTypeId); >> } >> to >> public interface ContentWrapper { >> public StringUtil.StringWrapper get(String contentTypeId, String >> encoderType) { >> } >> >> And changing the Category, Party, Product, ProductPromo and WorkEffort >> ContentWrapperS accordingly. This means to use 2 types of encoderTypes: >> "html" and "url". >> The "html" encoderType will be used for all ProductContentTypes but those >> who contain URL in their ContentTypeIdS (actually end with, "_URL") which >> will use "url" encoderType. >> It concerns not only the get() method but also methods like >> getPartyContentAsText(), getProductContentAsText(), etc. >> >> It seems a big change but it's straightforward. It's normally complete. >> >> There are some (unrelated) tabs replaced by spaces here and there, and few >> trailing spaces removed but nothing big >> >> >> >> Modified: >> ofbiz/branches/release14.12/ (props changed) >> >> ofbiz/branches/release14.12/applications/accounting/webapp/accounting/reports/SalesInvoiceByProductCategorySummary.ftl >> >> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWrapper.java >> >> ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderReturnServices.java >> >> ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartItem.java >> >> ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/product/ProductPromoWorker.java >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/SplitShip.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/cart/showcartitems.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/breadcrumbs.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/categorydetail.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproducts.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproductslist.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/configproductdetail.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/inlineProductDetail.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productdetail.ftl >> >> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl >> >>
Re: svn commit: r1705331 [1/2] - in /ofbiz/branches/release14.12: ./ applications/accounting/webapp/accounting/reports/ applications/content/src/org/ofbiz/content/content/ applications/order/src/org/o
Hi Jacques, Can we add the get method with default encoding to maintain the backward compatibility? Thanks & Regards — Deepak Dixit > On Sep 26, 2015, at 2:54 PM, Deepak Dixit> wrote: > > Hi Jacques, > > ecommerce is broken, I think you missed some groovy file where description, > name is used directly. like > > categoryDescription = categoryContentWrapper.DESCRIPTION; > > I am getting following error while accession ecommerce on updated local box: > {code} > [java] Caused by: java.lang.IllegalArgumentException: Error running script at > location > [component://order/webapp/ordermgr/WEB-INF/actions/entry/catalog/Category.groovy]: > groovy.lang.MissingPropertyException: No such property: DESCRIPTION for > class: org.ofbiz.product.category.CategoryContentWrapper > > {code} > > > Thanks & Regards > — > Deepak Dixit > >> On Sep 25, 2015, at 10:14 PM, Jacques Le Roux >> wrote: >> >> I did not backport to older releases because of too much conflicts, anyway >> it's a low vulnerability >> >> Jacqued >> >> >> Le 25/09/2015 18:34, jler...@apache.org a écrit : >>> Author: jleroux >>> Date: Fri Sep 25 16:34:34 2015 >>> New Revision: 1705331 >>> >>> URL: http://svn.apache.org/viewvc?rev=1705331=rev >>> Log: >>> "Applied fix from trunk for revision: 1705329 " (conflicts handled by hand) >>> >>> r1705329 | jleroux | 2015-09-25 18:27:12 +0200 (ven. 25 sept. 2015) | 20 >>> lignes >>> >>> I found a possible XSS attack through >>> ProductContentWrapper.java.getProductContentAsText() which is notably used >>> in several FTL files. This exists also in others *ContentWrapper.java. >>> Note that in supported releases it's hard to exploit, it's a Stored XSS >>> https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means >>> you need 1st to somehow inject exploiting code in the DB. >>> >>> This fixes it by changing the ContentWrapper interface >>> from >>>public interface ContentWrapper { >>>public StringUtil.StringWrapper get(String contentTypeId); >>>} >>> to >>>public interface ContentWrapper { >>>public StringUtil.StringWrapper get(String contentTypeId, String >>> encoderType) { >>>} >>> >>> And changing the Category, Party, Product, ProductPromo and WorkEffort >>> ContentWrapperS accordingly. This means to use 2 types of encoderTypes: >>> "html" and "url". >>> The "html" encoderType will be used for all ProductContentTypes but those >>> who contain URL in their ContentTypeIdS (actually end with, "_URL") which >>> will use "url" encoderType. >>> It concerns not only the get() method but also methods like >>> getPartyContentAsText(), getProductContentAsText(), etc. >>> >>> It seems a big change but it's straightforward. It's normally complete. >>> >>> There are some (unrelated) tabs replaced by spaces here and there, and few >>> trailing spaces removed but nothing big >>> >>> >>> >>> Modified: >>>ofbiz/branches/release14.12/ (props changed) >>> >>> ofbiz/branches/release14.12/applications/accounting/webapp/accounting/reports/SalesInvoiceByProductCategorySummary.ftl >>> >>> ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWrapper.java >>> >>> ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderReturnServices.java >>> >>> ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartItem.java >>> >>> ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/product/ProductPromoWorker.java >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/SplitShip.ftl >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/cart/showcartitems.ftl >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/breadcrumbs.ftl >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/categorydetail.ftl >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproducts.ftl >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproductslist.ftl >>> >>> ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/configproductdetail.ftl >>> >>>
Re: svn commit: r1705331 [1/2] - in /ofbiz/branches/release14.12: ./ applications/accounting/webapp/accounting/reports/ applications/content/src/org/ofbiz/content/content/ applications/order/src/org/o
I just spotted some others in FTL files, handling them... Jacques Le 26/09/2015 13:03, Jacques Le Roux a écrit : Hi Deepak, I just spotted that before committing r1705405. I will handle that now Also while automatically (but handling conflicts by hand) I (it?) also missed some class files (see r1705406). Thanks Jacques Le 26/09/2015 11:24, Deepak Dixit a écrit : Hi Jacques, ecommerce is broken, I think you missed some groovy file where description, name is used directly. like categoryDescription = categoryContentWrapper.DESCRIPTION; I am getting following error while accession ecommerce on updated local box: {code} [java] Caused by: java.lang.IllegalArgumentException: Error running script at location [component://order/webapp/ordermgr/WEB-INF/actions/entry/catalog/Category.groovy]: groovy.lang.MissingPropertyException: No such property: DESCRIPTION for class: org.ofbiz.product.category.CategoryContentWrapper {code} Thanks & Regards — Deepak Dixit On Sep 25, 2015, at 10:14 PM, Jacques Le Rouxwrote: I did not backport to older releases because of too much conflicts, anyway it's a low vulnerability Jacqued Le 25/09/2015 18:34, jler...@apache.org a écrit : Author: jleroux Date: Fri Sep 25 16:34:34 2015 New Revision: 1705331 URL: http://svn.apache.org/viewvc?rev=1705331=rev Log: "Applied fix from trunk for revision: 1705329 " (conflicts handled by hand) r1705329 | jleroux | 2015-09-25 18:27:12 +0200 (ven. 25 sept. 2015) | 20 lignes I found a possible XSS attack through ProductContentWrapper.java.getProductContentAsText() which is notably used in several FTL files. This exists also in others *ContentWrapper.java. Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB. This fixes it by changing the ContentWrapper interface from public interface ContentWrapper { public StringUtil.StringWrapper get(String contentTypeId); } to public interface ContentWrapper { public StringUtil.StringWrapper get(String contentTypeId, String encoderType) { } And changing the Category, Party, Product, ProductPromo and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url". The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType. It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc. It seems a big change but it's straightforward. It's normally complete. There are some (unrelated) tabs replaced by spaces here and there, and few trailing spaces removed but nothing big Modified: ofbiz/branches/release14.12/ (props changed) ofbiz/branches/release14.12/applications/accounting/webapp/accounting/reports/SalesInvoiceByProductCategorySummary.ftl ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWrapper.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderReturnServices.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartItem.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/product/ProductPromoWorker.java ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/SplitShip.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/cart/showcartitems.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/breadcrumbs.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/categorydetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproducts.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproductslist.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/configproductdetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/inlineProductDetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productdetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
Re: svn commit: r1705331 [1/2] - in /ofbiz/branches/release14.12: ./ applications/accounting/webapp/accounting/reports/ applications/content/src/org/ofbiz/content/content/ applications/order/src/org/o
Hi Deepak, I just spotted that before committing r1705405. I will handle that now Also while automatically (but handling conflicts by hand) I (it?) also missed some class files (see r1705406). Thanks Jacques Le 26/09/2015 11:24, Deepak Dixit a écrit : Hi Jacques, ecommerce is broken, I think you missed some groovy file where description, name is used directly. like categoryDescription = categoryContentWrapper.DESCRIPTION; I am getting following error while accession ecommerce on updated local box: {code} [java] Caused by: java.lang.IllegalArgumentException: Error running script at location [component://order/webapp/ordermgr/WEB-INF/actions/entry/catalog/Category.groovy]: groovy.lang.MissingPropertyException: No such property: DESCRIPTION for class: org.ofbiz.product.category.CategoryContentWrapper {code} Thanks & Regards — Deepak Dixit On Sep 25, 2015, at 10:14 PM, Jacques Le Rouxwrote: I did not backport to older releases because of too much conflicts, anyway it's a low vulnerability Jacqued Le 25/09/2015 18:34, jler...@apache.org a écrit : Author: jleroux Date: Fri Sep 25 16:34:34 2015 New Revision: 1705331 URL: http://svn.apache.org/viewvc?rev=1705331=rev Log: "Applied fix from trunk for revision: 1705329 " (conflicts handled by hand) r1705329 | jleroux | 2015-09-25 18:27:12 +0200 (ven. 25 sept. 2015) | 20 lignes I found a possible XSS attack through ProductContentWrapper.java.getProductContentAsText() which is notably used in several FTL files. This exists also in others *ContentWrapper.java. Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB. This fixes it by changing the ContentWrapper interface from public interface ContentWrapper { public StringUtil.StringWrapper get(String contentTypeId); } to public interface ContentWrapper { public StringUtil.StringWrapper get(String contentTypeId, String encoderType) { } And changing the Category, Party, Product, ProductPromo and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url". The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType. It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc. It seems a big change but it's straightforward. It's normally complete. There are some (unrelated) tabs replaced by spaces here and there, and few trailing spaces removed but nothing big Modified: ofbiz/branches/release14.12/ (props changed) ofbiz/branches/release14.12/applications/accounting/webapp/accounting/reports/SalesInvoiceByProductCategorySummary.ftl ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWrapper.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderReturnServices.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartItem.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/product/ProductPromoWorker.java ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/SplitShip.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/cart/showcartitems.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/breadcrumbs.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/categorydetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproducts.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproductslist.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/configproductdetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/inlineProductDetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productdetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl
Re: svn commit: r1705331 [1/2] - in /ofbiz/branches/release14.12: ./ applications/accounting/webapp/accounting/reports/ applications/content/src/org/ofbiz/content/content/ applications/order/src/org/o
I did not backport to older releases because of too much conflicts, anyway it's a low vulnerability Jacqued Le 25/09/2015 18:34, jler...@apache.org a écrit : Author: jleroux Date: Fri Sep 25 16:34:34 2015 New Revision: 1705331 URL: http://svn.apache.org/viewvc?rev=1705331=rev Log: "Applied fix from trunk for revision: 1705329 " (conflicts handled by hand) r1705329 | jleroux | 2015-09-25 18:27:12 +0200 (ven. 25 sept. 2015) | 20 lignes I found a possible XSS attack through ProductContentWrapper.java.getProductContentAsText() which is notably used in several FTL files. This exists also in others *ContentWrapper.java. Note that in supported releases it's hard to exploit, it's a Stored XSS https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting which means you need 1st to somehow inject exploiting code in the DB. This fixes it by changing the ContentWrapper interface from public interface ContentWrapper { public StringUtil.StringWrapper get(String contentTypeId); } to public interface ContentWrapper { public StringUtil.StringWrapper get(String contentTypeId, String encoderType) { } And changing the Category, Party, Product, ProductPromo and WorkEffort ContentWrapperS accordingly. This means to use 2 types of encoderTypes: "html" and "url". The "html" encoderType will be used for all ProductContentTypes but those who contain URL in their ContentTypeIdS (actually end with, "_URL") which will use "url" encoderType. It concerns not only the get() method but also methods like getPartyContentAsText(), getProductContentAsText(), etc. It seems a big change but it's straightforward. It's normally complete. There are some (unrelated) tabs replaced by spaces here and there, and few trailing spaces removed but nothing big Modified: ofbiz/branches/release14.12/ (props changed) ofbiz/branches/release14.12/applications/accounting/webapp/accounting/reports/SalesInvoiceByProductCategorySummary.ftl ofbiz/branches/release14.12/applications/content/src/org/ofbiz/content/content/ContentWrapper.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/order/OrderReturnServices.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartItem.java ofbiz/branches/release14.12/applications/order/src/org/ofbiz/order/shoppingcart/product/ProductPromoWorker.java ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/InlineProductDetail.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/WEB-INF/actions/order/CompanyHeader.groovy ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/SplitShip.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/cart/showcartitems.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/breadcrumbs.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/categorydetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproducts.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/compareproductslist.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/configproductdetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/inlineProductDetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productdetail.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/productsummary.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/entry/catalog/quickaddsummary.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/order/editorderitems.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/order/orderinfo.ftl ofbiz/branches/release14.12/applications/order/webapp/ordermgr/order/orderitems.ftl ofbiz/branches/release14.12/applications/party/webapp/partymgr/party/editShoppingList.ftl ofbiz/branches/release14.12/applications/party/webapp/partymgr/party/profileblocks/SerializedInventory.ftl ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/category/CatalogUrlFilter.java ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductContentWrapper.java ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductPromoContentWrapper.java ofbiz/branches/release14.12/applications/product/src/org/ofbiz/product/product/ProductSearch.java