Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0024557 | Openbravo ERP | A. Platform | public | 2013-08-21 17:46 | 2013-08-22 08:16 |
|
| Reporter | shuehner | |
| Assigned To | shuehner | |
| Priority | immediate | Severity | major | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 5 | OS Version | |
| Product Version | | |
| Target Version | 3.0MP27 | Fixed in Version | 3.0MP25 | |
| Merge Request Status | |
| Review Assigned To | AugustoMauch |
| OBNetwork customer | |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0024557: Reconfigure xml-parser used by /ws/dal to disallow referencing external entities |
| Description | The xerces xml parser used by Openbravo by default allowed referencing external entities defined in the xml-data being parsed by it.
As data processed by the code behind /ws/dal is untrusted by default as it is coming from external sources those features must be disabled. |
| Steps To Reproduce | send an xml document using feature as described above to the xml-webservices. |
| Proposed Solution | Reconfigure xml-parser to disallow those features in the /ws/dal endpoint. |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | | blocks | defect | 0024556 | 3.0MP27 | closed | shuehner | Reconfigure xml-parser used by /ws/dal to disallow referencing external entities |
|
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2013-08-21 17:48 | shuehner | Type | defect => backport |
| 2013-08-21 17:48 | shuehner | fix_in_branch | => 2.50 |
| 2013-08-21 18:14 | shuehner | Review Assigned To | => AugustoMauch |
| 2013-08-21 19:34 | hgbot | Checkin | |
| 2013-08-21 19:34 | hgbot | Note Added: 0060721 | |
| 2013-08-21 19:34 | hgbot | Status | scheduled => resolved |
| 2013-08-21 19:34 | hgbot | Resolution | open => fixed |
| 2013-08-21 19:34 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/stable/2.50/rev/381dd8af30f95a03d3c40672f820317a4dd2ff0b [^] |
| 2013-08-22 08:16 | AugustoMauch | Note Added: 0060723 | |
| 2013-08-22 08:16 | AugustoMauch | Status | resolved => closed |
| 2013-08-22 08:16 | AugustoMauch | Fixed in Version | => 3.0MP25 |