Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0024556Openbravo ERPA. Platformpublic2013-08-21 17:462013-08-22 18:17
Reportershuehner 
Assigned Toshuehner 
PriorityimmediateSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target Version3.0MP27Fixed in Version3.0MP27 
Merge Request Status
Review Assigned ToAugustoMauch
OBNetwork customerNo
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0024556: Reconfigure xml-parser used by /ws/dal to disallow referencing external entities
DescriptionThe xerces xml parser used by Openbravo by default allowed referencing external entities defined in the xml-data being parsed by it.

As data processed by the code behind /ws/dal is untrusted by default as it is coming from external sources those features must be disabled.
Steps To Reproducesend an xml document using feature as described above to the xml-webservices.
Proposed SolutionReconfigure xml-parser to disallow those features in the /ws/dal endpoint.
Additional Information
TagsNo tags attached.
Relationships
depends on backport 00245573.0MP27 closed shuehner Reconfigure xml-parser used by /ws/dal to disallow referencing external entities 
related to defect 0040642 closed alostale centralize in XMLUtils creation of objects to deal with XML documents 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2013-08-21 17:46shuehnerNew Issue
2013-08-21 17:46shuehnerAssigned To => shuehner
2013-08-21 17:46shuehnerModules => Core
2013-08-21 17:46shuehnerOBNetwork customer => No
2013-08-21 17:46shuehnerTriggers an Emergency Pack => No
2013-08-21 17:48shuehnerStatusnew => scheduled
2013-08-21 17:48shuehnerfix_in_branch => pi
2013-08-21 18:11hgbotCheckin
2013-08-21 18:11hgbotNote Added: 0060714
2013-08-21 18:11hgbotStatusscheduled => resolved
2013-08-21 18:11hgbotResolutionopen => fixed
2013-08-21 18:11hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/b975d72dec38be6c7a9ca8444a98db8924647c1a [^]
2013-08-21 18:14shuehnerReview Assigned To => AugustoMauch
2013-08-21 18:14shuehnerfix_in_branchpi =>
2013-08-22 08:17AugustoMauchNote Added: 0060724
2013-08-22 08:17AugustoMauchStatusresolved => closed
2013-08-22 08:17AugustoMauchFixed in Version => 3.0MP27
2013-08-22 18:17hudsonbotCheckin
2013-08-22 18:17hudsonbotNote Added: 0060734
2019-04-18 13:35alostaleRelationship addedrelated to 0040642

Notes
(0060714)
hgbot   
2013-08-21 18:11   
Repository: erp/devel/pi
Changeset: b975d72dec38be6c7a9ca8444a98db8924647c1a
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Aug 21 17:53:18 2013 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/b975d72dec38be6c7a9ca8444a98db8924647c1a [^]

Fixed 24556. Disallow referencing external entities in /ws/dal/
Reconfigure the xml-parser used behind /ws/dal to not accept
external entity references as the xml data is coming from outside
Openbravo.

---
M src/org/openbravo/service/rest/DalWebService.java
---
(0060724)
AugustoMauch   
2013-08-22 08:17   
Code reviewed and verified in pi@381dd8af30f9
(0060734)
hudsonbot   
2013-08-22 18:17   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/7535642cd9cf [^]

Maturity status: Test