Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0024556
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformmajorhave not tried2013-08-21 17:462013-08-22 18:17
ReportershuehnerView Statuspublic 
Assigned Toshuehner 
PriorityimmediateResolutionfixedFixed in Version3.0MP27
StatusclosedFix in branchFixed in SCM revisionb975d72dec38
ProjectionnoneETAnoneTarget Version3.0MP27
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0024556: Reconfigure xml-parser used by /ws/dal to disallow referencing external entities

DescriptionThe xerces xml parser used by Openbravo by default allowed referencing external entities defined in the xml-data being parsed by it.

As data processed by the code behind /ws/dal is untrusted by default as it is coming from external sources those features must be disabled.
Steps To Reproducesend an xml document using feature as described above to the xml-webservices.
Proposed SolutionReconfigure xml-parser to disallow those features in the /ws/dal endpoint.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
depends on backport 00245573.0MP27 closedshuehner Reconfigure xml-parser used by /ws/dal to disallow referencing external entities 
related to defect 0040642 closedalostale centralize in XMLUtils creation of objects to deal with XML documents 

-  Notes
(0060714)
hgbot (developer)
2013-08-21 18:11

 Repository: erp/devel/pi
Changeset: b975d72dec38be6c7a9ca8444a98db8924647c1a
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Aug 21 17:53:18 2013 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/b975d72dec38be6c7a9ca8444a98db8924647c1a [^]

Fixed 24556. Disallow referencing external entities in /ws/dal/
Reconfigure the xml-parser used behind /ws/dal to not accept
external entity references as the xml data is coming from outside
Openbravo.

---
M src/org/openbravo/service/rest/DalWebService.java
---
(0060724)
AugustoMauch (administrator)
2013-08-22 08:17

 Code reviewed and verified in pi@381dd8af30f9
(0060734)
hudsonbot (developer)
2013-08-22 18:17

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/7535642cd9cf [^]

Maturity status: Test

- Issue History
Date Modified Username Field Change
2013-08-21 17:46 shuehner New Issue
2013-08-21 17:46 shuehner Assigned To => shuehner
2013-08-21 17:46 shuehner Modules => Core
2013-08-21 17:46 shuehner Triggers an Emergency Pack => No
2013-08-21 17:48 shuehner Status new => scheduled
2013-08-21 17:48 shuehner fix_in_branch => pi
2013-08-21 18:11 hgbot Checkin
2013-08-21 18:11 hgbot Note Added: 0060714
2013-08-21 18:11 hgbot Status scheduled => resolved
2013-08-21 18:11 hgbot Resolution open => fixed
2013-08-21 18:11 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/b975d72dec38be6c7a9ca8444a98db8924647c1a [^]
2013-08-21 18:14 shuehner Review Assigned To => AugustoMauch
2013-08-21 18:14 shuehner fix_in_branch pi =>
2013-08-22 08:17 AugustoMauch Note Added: 0060724
2013-08-22 08:17 AugustoMauch Status resolved => closed
2013-08-22 08:17 AugustoMauch Fixed in Version => 3.0MP27
2013-08-22 18:17 hudsonbot Checkin
2013-08-22 18:17 hudsonbot Note Added: 0060734
2019-04-18 13:35 alostale Relationship added related to 0040642

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker