Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0029157
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. PlatformmajorN/A2015-03-06 08:382015-03-09 17:49
ReporteralostaleView Statuspublic 
Assigned Toalostale 
PriorityurgentResolutionfixedFixed in Version3.0PR15Q2
StatusclosedFix in branchFixed in SCM revisiond8ec9347e127
ProjectionnoneETAnoneTarget Version3.0PR15Q2
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0029157: code review issues for Process Definition Reporting Tool project

DescriptionReviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve:

  * Security: prevent traversal attack. BaseReportActionHandler could be invoked
    to download any file in the system. Fixed by:
      - Now it only accepts file name instead of full path, looking for this file
        in the temporary directory.
      - File name is parsed to ensure it is a valid generated jasper file name,
        preventing in this manner downloads of any arbitrary file in the temporary
        directory.
  * ReportSemaphoreHandling changes:
      - Modified to make use of standard java.util.concurrent.Semaphore
        implementation rather than implementing its own semaphore.
      - Property to read maximum number of concurrent executions is read on
        initialization instead of when acquiring. This way acquisition is faster.
  * When a Jasper report is generated with a virtualizer, it's finally cleaned
    up.
  * When downloading a report, temporary file is deleted on a finally block to
    ensure deletion even on failure.
  * Changes in javadoc to fix some typos + prevent undocumented parameters.
  * Defensive coding: when generating/downloading a report, don't assume if type
    is not pdf then it is xls, but do check all the types and raise an exception
    in case of unsupported type.
  * UI: in process definition window, don't show Can Add Records flag for process
    definitions of type report
Steps To ReproduceN/A: code review, check description.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to feature request 0026763 closedgorkaion Ability to launch reports from process definitions 
causes defect 0029441 closedNaroaIriarte Exporting to XLS does not work in the new ReportingUtils class 

-  Notes
(0075231)
hgbot (developer)
2015-03-06 10:48

Repository: erp/devel/pi
Changeset: d8ec9347e127febd5961acedac70ff0cfe52e5b6
Author: Asier Lostalé <asier.lostale <at> openbravo.com>
Date: Fri Mar 06 08:51:40 2015 +0100
URL: http://code.openbravo.com/erp/devel/pi/rev/d8ec9347e127febd5961acedac70ff0cfe52e5b6 [^]

fixed issue 29157: code review issues for Process Definition Reporting Tool

 Fixes include:
  * Security: prevent traversal attack. BaseReportActionHandler could be invoked
    to download any file in the system. Fixed by:
      - Now it only accepts file name instead of full path, looking for this file
        in the temporary directory.
      - Filename is parsed to ensure it is a valid generated jasper file name,
        preventing in this manner downloads of any arbitrary file in the temporary
        directory.
  * ReportSemaphoreHandling changes:
      - Modified to make use of standard java.util.concurrent.Semaphore
        implementation rather than implementing its own semaphore.
      - Property to read maximum number of concurrent executions is read on
        initialization instead of when acquiring. This way acquisition is faster.
  * When a Jasper report is generated with a virtualizer, it's finally cleaned
    up.
  * When downloading a report, temporary file is deleted on a finally block to
    ensure deletion even on failure.
  * Changes in javadoc to fix some typos + prevent undocumented parameters.
  * Defensive coding: when generating/downloading a report, don't assume if type
    is not pdf then it is xls, but do check all the types and raise an exception
    in case of unsupported type.
  * UI: in process definition window, don't show Can Add Records flag for process
    definitions of type report

---
M modules/org.openbravo.client.application/src-db/database/sourcedata/AD_FIELD.xml
M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/BaseReportActionHandler.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/ReportSemaphoreHandling.java
M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/ReportingUtils.java
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-utilities-action-def.js
---
(0075299)
AugustoMauch (administrator)
2015-03-09 11:00

Code reviewed and verified in pi@b9fc7e8e60ae
(0075330)
hudsonbot (developer)
2015-03-09 17:49

A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ef8a16dd11b3 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2015-03-06 08:38 alostale New Issue
2015-03-06 08:38 alostale Assigned To => alostale
2015-03-06 08:38 alostale Modules => Core
2015-03-06 08:38 alostale Triggers an Emergency Pack => No
2015-03-06 08:38 alostale Relationship added related to 0026763
2015-03-06 08:46 alostale Description Updated View Revisions
2015-03-06 10:48 hgbot Checkin
2015-03-06 10:48 hgbot Note Added: 0075231
2015-03-06 10:48 hgbot Status new => resolved
2015-03-06 10:48 hgbot Resolution open => fixed
2015-03-06 10:48 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/d8ec9347e127febd5961acedac70ff0cfe52e5b6 [^]
2015-03-09 09:29 alostale Review Assigned To => AugustoMauch
2015-03-09 11:00 AugustoMauch Note Added: 0075299
2015-03-09 11:00 AugustoMauch Status resolved => closed
2015-03-09 11:00 AugustoMauch Fixed in Version => 3.0PR15Q2
2015-03-09 17:49 hudsonbot Checkin
2015-03-09 17:49 hudsonbot Note Added: 0075330
2015-03-30 10:45 alostale Relationship added causes 0029441


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker