Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0012652 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] Z. Others | major | N/A | 2010-03-11 14:26 | 2010-04-16 00:00 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | adrianromero | |||||||
| Priority | immediate | Resolution | fixed | Fixed in Version | ||||
| Status | closed | Fix in branch | Fixed in SCM revision | 64d9ea836ba2 | ||||
| Projection | none | ETA | none | Target Version | 2.50MP14 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Merge Request Status | ||||||||
| Review Assigned To | ||||||||
| OBNetwork customer | No | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Support ticket | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0012652: Proper management of DAL security | |||||||
| Description | As found in issue 0012651, some code is using DAL without managing security properly. More info can be found here [1] [1] http://forge.openbravo.com/plugins/espforum/view.php?group_id=100&forumid=549512&topicid=7010557 [^] | |||||||
| Proposed Solution | Check and fix if needed core code using DAL. This is the list of files that use DAL in current pi (36fdbf2c73bb) ./org/openbravo/base/secureApp/HttpSecureAppServlet.java ./org/openbravo/base/secureApp/OrgTreeNode.java ./org/openbravo/base/secureApp/LoginHandler.java ./org/openbravo/base/secureApp/VariablesSecureApp.java ./org/openbravo/reference/ui/UIList.java ./org/openbravo/reference/Reference.java ./org/openbravo/erpCommon/ad_actionButton/InvoicePaymentMonitor.java ./org/openbravo/erpCommon/ad_actionButton/ExportReferenceData.java ./org/openbravo/erpCommon/ad_process/HeartbeatProcess.java ./org/openbravo/erpCommon/ad_process/KillSession.java ./org/openbravo/erpCommon/ad_process/PaymentMonitor.java ./org/openbravo/erpCommon/ad_process/TestHeartbeat.java ./org/openbravo/erpCommon/ad_process/PaymentMonitorProcess.java ./org/openbravo/erpCommon/ad_process/CreateCustomModule.java ./org/openbravo/erpCommon/ad_process/ApplyModules.java ./org/openbravo/erpCommon/ad_process/AcctServerProcess.java ./org/openbravo/erpCommon/ad_process/UpdateAuditTrail.java ./org/openbravo/erpCommon/ad_forms/InstanceManagement.java ./org/openbravo/erpCommon/ad_forms/InitialClientSetup.java ./org/openbravo/erpCommon/ad_forms/InitialOrgSetup.java ./org/openbravo/erpCommon/ad_forms/Role.java ./org/openbravo/erpCommon/ad_forms/Registration.java ./org/openbravo/erpCommon/ad_forms/UpdateReferenceData.java ./org/openbravo/erpCommon/ad_forms/ModuleManagement.java ./org/openbravo/erpCommon/info/AttributeSetInstance.java ./org/openbravo/erpCommon/info/ImageInfoBLOB.java ./org/openbravo/erpCommon/modules/ApplyModule.java ./org/openbravo/erpCommon/modules/ModuleUtiltiy.java ./org/openbravo/erpCommon/obps/ActivationKey.java ./org/openbravo/erpCommon/obps/ActiveInstanceProcess.java ./org/openbravo/erpCommon/businessUtility/AuditTrailDeletedRecords.java ./org/openbravo/erpCommon/businessUtility/AuditTrailPopup.java ./org/openbravo/erpCommon/ad_callouts/SL_TableAudit.java ./org/openbravo/erpCommon/ad_callouts/SL_RequisitionLine_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_PC_Case_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_GlobalUse_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_InOutLine_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_Module_Minor_Version.java ./org/openbravo/erpCommon/ad_callouts/SL_Production_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_Internal_Consumption_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_ModuleCallout.java ./org/openbravo/erpCommon/ad_callouts/SL_Movement_Product.java ./org/openbravo/erpCommon/ad_callouts/SL_Inventory_Product.java ./org/openbravo/erpCommon/utility/Utility.java ./org/openbravo/erpCommon/utility/Register.java ./org/openbravo/erpCommon/utility/ShowImage.java ./org/openbravo/erpCommon/utility/ToolBar.java ./org/openbravo/erpCommon/utility/ImageToDatabaseLoader.java ./org/openbravo/erpCommon/utility/ShowImageLogo.java ./org/openbravo/erpCommon/utility/VerticalMenu.java ./org/openbravo/erpCommon/utility/UsedByLink.java ./org/openbravo/erpCommon/security/Menu.java ./org/openbravo/erpCommon/security/Login.java | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||
|
|||||||||||||||
 Relationships |
|
Notes |
|
|
(0025287) hgbot (developer) 2010-03-12 12:26 |
Repository: erp/devel/pi Changeset: 0512d61a86528d31c2288197a9211337cbb4e1fd Author: Iván Perdomo <ivan.perdomo <at> openbravo.com> Date: Fri Mar 12 12:31:57 2010 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/0512d61a86528d31c2288197a9211337cbb4e1fd [^] Fixes DAL security issue. Related to issue 12652 --- M src/org/openbravo/erpCommon/security/Login.java --- |
|
(0025288) hgbot (developer) 2010-03-12 12:40 |
Repository: erp/devel/pi Changeset: cd0c6ba4de24f06777b67097de974f6bdbf62030 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Fri Mar 12 12:46:28 2010 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/cd0c6ba4de24f06777b67097de974f6bdbf62030 [^] related to issue 12652 --- M src/org/openbravo/erpCommon/ad_process/CreateCustomModule.java --- |
|
(0025298) hgbot (developer) 2010-03-12 17:08 |
Repository: erp/devel/pi Changeset: 64d9ea836ba26834de15acf66b16bad2f632c9a6 Author: Gorka Ion Damián <gorkaion.damian <at> openbravo.com> Date: Fri Mar 12 17:13:27 2010 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/64d9ea836ba26834de15acf66b16bad2f632c9a6 [^] Related to issue 12652. Fixes DAL security issue. --- M src/org/openbravo/erpCommon/ad_callouts/SL_GlobalUse_Product.java M src/org/openbravo/erpCommon/ad_callouts/SL_Internal_Consumption_Product.java M src/org/openbravo/erpCommon/ad_callouts/SL_Inventory_Product.java M src/org/openbravo/erpCommon/ad_callouts/SL_Movement_Product.java M src/org/openbravo/erpCommon/ad_callouts/SL_PC_Case_Product.java M src/org/openbravo/erpCommon/ad_callouts/SL_Production_Product.java M src/org/openbravo/erpCommon/ad_callouts/SL_RequisitionLine_Product.java M src/org/openbravo/erpCommon/info/AttributeSetInstance.java --- |
|
(0025507) hudsonbot (viewer) 2010-03-16 08:41 |
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated: Changeset: http://code.openbravo.com/erp/devel/main/rev/0512d61a8652 [^] Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/3e52c5b52d67 [^] Tests: http://builds.openbravo.com/view/devel-int/ [^] OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.16713.obx [^] |
|
(0025508) hudsonbot (viewer) 2010-03-16 08:41 |
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated: Changeset: http://code.openbravo.com/erp/devel/main/rev/cd0c6ba4de24 [^] Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/3e52c5b52d67 [^] Tests: http://builds.openbravo.com/view/devel-int/ [^] OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.16713.obx [^] |
|
(0025513) hudsonbot (viewer) 2010-03-16 08:41 |
A changeset related to this issue has been promoted to main after passing a series of tests and an OBX has been generated: Changeset: http://code.openbravo.com/erp/devel/main/rev/64d9ea836ba2 [^] Merge Changeset: http://code.openbravo.com/erp/devel/main/rev/3e52c5b52d67 [^] Tests: http://builds.openbravo.com/view/devel-int/ [^] OBX: http://builds.openbravo.com/erp/core/obx/OpenbravoERP-2.50CI.16713.obx [^] |
|
(0026240) plujan (viewer) 2010-04-15 11:35 |
Since the fix has not functional impact, a code review was performed to double check the DAL management. |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-03-11 14:26 | alostale | New Issue | |
| 2010-03-11 14:26 | alostale | Assigned To | => adrianromero |
| 2010-03-11 14:26 | alostale | OBNetwork customer | => No |
| 2010-03-11 14:27 | alostale | Relationship added | related to 0012651 |
| 2010-03-11 14:33 | rafaroda | Issue Monitored: rafaroda | |
| 2010-03-11 16:02 | alostale | Proposed Solution updated | |
| 2010-03-11 17:48 | psarobe | Severity | critical => major |
| 2010-03-11 17:48 | psarobe | Status | new => scheduled |
| 2010-03-12 12:26 | hgbot | Checkin | |
| 2010-03-12 12:26 | hgbot | Note Added: 0025287 | |
| 2010-03-12 12:40 | hgbot | Checkin | |
| 2010-03-12 12:40 | hgbot | Note Added: 0025288 | |
| 2010-03-12 17:08 | hgbot | Checkin | |
| 2010-03-12 17:08 | hgbot | Note Added: 0025298 | |
| 2010-03-15 13:09 | adrianromero | Status | scheduled => resolved |
| 2010-03-15 13:09 | adrianromero | Fixed in SCM revision | => 64d9ea836ba2 |
| 2010-03-15 13:09 | adrianromero | Resolution | open => fixed |
| 2010-03-15 13:16 | adrianromero | Relationship added | related to 0012668 |
| 2010-03-16 08:41 | hudsonbot | Checkin | |
| 2010-03-16 08:41 | hudsonbot | Note Added: 0025507 | |
| 2010-03-16 08:41 | hudsonbot | Checkin | |
| 2010-03-16 08:41 | hudsonbot | Note Added: 0025508 | |
| 2010-03-16 08:41 | hudsonbot | Checkin | |
| 2010-03-16 08:41 | hudsonbot | Note Added: 0025513 | |
| 2010-04-15 11:35 | plujan | Note Added: 0026240 | |
| 2010-04-15 11:35 | plujan | Status | resolved => closed |
| 2010-04-16 00:00 | anonymous | sf_bug_id | 0 => 2987963 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |