Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0033231
TypeCategorySeverityReproducibilityDate SubmittedLast Update
defect[Openbravo ERP] A. Platformminoralways2016-06-13 13:052018-02-22 18:18
ReportercaristuView Statuspublic 
Assigned Tocaristu 
PriorityhighResolutionfixedFixed in Version3.0PR16Q3
StatusclosedFix in branchFixed in SCM revision9023f7c3e56c
ProjectionnoneETAnoneTarget Version
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned Toalostale
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0033231: Prevent usage of filter clause as an URL parameter

DescriptionCurrently it is possible to override the default filtering of a standard window, by passing a filter clause as an URL parameter.

This affects to the security, as the parameter can be used for injection.
Steps To ReproduceIn description
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
related to feature request 00326103.0PR16Q3 closedNaroaIriarte standard datasources shouldn't accept where parameter by default 
related to feature request 00185863.0MP5 closedmtaal Extend grid linking to include filter settings 

-  Notes
(0087215)
hgbot (developer)
2016-06-13 19:42

 Repository: erp/devel/pi
Changeset: 9023f7c3e56ceaf3f6b6b9743a56db342623da5d
Author: Carlos Aristu <carlos.aristu <at> openbravo.com>
Date: Mon Jun 13 19:38:50 2016 +0200
URL: http://code.openbravo.com/erp/devel/pi/rev/9023f7c3e56ceaf3f6b6b9743a56db342623da5d [^]

fixes issue 33231: Prevent usage of filter clause as an URL parameter

---
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/grid/ob-view-grid.js
M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-utilities.js
---
(0087610)
hudsonbot (developer)
2016-06-17 19:38

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/0dc7be081b1c [^]
Maturity status: Test
(0087670)
alostale (manager)
2016-06-20 13:09

 code reviewed
(0102698)
hudsonbot (developer)
2018-02-22 18:18

 A changeset related to this issue has been promoted main and to the
Central Repository, after passing a series of tests.

Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/980a6ad5bbf5 [^]
Maturity status: Test

- Issue History
Date Modified Username Field Change
2016-06-13 13:05 caristu New Issue
2016-06-13 13:05 caristu Assigned To => caristu
2016-06-13 13:05 caristu Modules => Core
2016-06-13 13:05 caristu Triggers an Emergency Pack => No
2016-06-13 13:05 caristu Relationship added related to 0032610
2016-06-13 13:05 caristu Status new => scheduled
2016-06-13 13:21 caristu Relationship added related to 0018586
2016-06-13 19:42 hgbot Checkin
2016-06-13 19:42 hgbot Note Added: 0087215
2016-06-13 19:42 hgbot Status scheduled => resolved
2016-06-13 19:42 hgbot Resolution open => fixed
2016-06-13 19:42 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/devel/pi/rev/9023f7c3e56ceaf3f6b6b9743a56db342623da5d [^]
2016-06-13 19:46 caristu Review Assigned To => alostale
2016-06-13 19:46 caristu Issue Monitored: alostale
2016-06-17 19:38 hudsonbot Checkin
2016-06-17 19:38 hudsonbot Note Added: 0087610
2016-06-20 13:09 alostale Note Added: 0087670
2016-06-20 13:09 alostale Status resolved => closed
2016-06-20 13:09 alostale Fixed in Version => 3.0PR16Q3
2018-01-30 17:29 hgbot Checkin
2018-01-30 17:29 hgbot Note Added: 0102070
2018-01-30 17:58 caristu Note Deleted: 0102070
2018-02-22 18:18 hudsonbot Checkin
2018-02-22 18:18 hudsonbot Note Added: 0102698

Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker