Openbravo Issue Tracking System - Openbravo ERP
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0033231Openbravo ERPA. Platformpublic2016-06-13 13:052018-02-22 18:18
Reportercaristu 
Assigned Tocaristu 
PriorityhighSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOS5OS Version
Product Version 
Target VersionFixed in Version3.0PR16Q3 
Merge Request Status
Review Assigned Toalostale
OBNetwork customer
Web browser
ModulesCore
Support ticket
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary0033231: Prevent usage of filter clause as an URL parameter
DescriptionCurrently it is possible to override the default filtering of a standard window, by passing a filter clause as an URL parameter.

This affects to the security, as the parameter can be used for injection.
Steps To ReproduceIn description
Proposed Solution
Additional Information
TagsNo tags attached.
Relationships
related to feature request 00326103.0PR16Q3 closed NaroaIriarte standard datasources shouldn't accept where parameter by default 
related to feature request 00185863.0MP5 closed mtaal Extend grid linking to include filter settings 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2016-06-13 13:05caristuNew Issue
2016-06-13 13:05caristuAssigned To => caristu
2016-06-13 13:05caristuModules => Core
2016-06-13 13:05caristuTriggers an Emergency Pack => No
2016-06-13 13:05caristuRelationship addedrelated to 0032610
2016-06-13 13:05caristuStatusnew => scheduled
2016-06-13 13:21caristuRelationship addedrelated to 0018586
2016-06-13 19:42hgbotCheckin
2016-06-13 19:42hgbotNote Added: 0087215
2016-06-13 19:42hgbotStatusscheduled => resolved
2016-06-13 19:42hgbotResolutionopen => fixed
2016-06-13 19:42hgbotFixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/9023f7c3e56ceaf3f6b6b9743a56db342623da5d [^]
2016-06-13 19:46caristuReview Assigned To => alostale
2016-06-13 19:46caristuIssue Monitored: alostale
2016-06-17 19:38hudsonbotCheckin
2016-06-17 19:38hudsonbotNote Added: 0087610
2016-06-20 13:09alostaleNote Added: 0087670
2016-06-20 13:09alostaleStatusresolved => closed
2016-06-20 13:09alostaleFixed in Version => 3.0PR16Q3
2018-01-30 17:29hgbotCheckin
2018-01-30 17:29hgbotNote Added: 0102070
2018-01-30 17:58caristuNote Deleted: 0102070
2018-02-22 18:18hudsonbotCheckin
2018-02-22 18:18hudsonbotNote Added: 0102698

Notes
(0087215)
hgbot   
2016-06-13 19:42   
Repository: erp/devel/pi
Changeset: 9023f7c3e56ceaf3f6b6b9743a56db342623da5d
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Mon Jun 13 19:38:50 2016 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/9023f7c3e56ceaf3f6b6b9743a56db342623da5d [^]

fixes issue 33231: Prevent usage of filter clause as an URL parameter

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/grid/ob-view-grid.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-utilities.js
---
(0087610)
hudsonbot   
2016-06-17 19:38   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^]
Maturity status: Test
(0087670)
alostale   
2016-06-20 13:09   
code reviewed
(0102698)
hudsonbot   
2018-02-22 18:18   
A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/980a6ad5bbf5 [^]
Maturity status: Test