Anonymous | Login
Project:
RSS
  
News | My View | View Issues | Roadmap | Summary

View Issue DetailsJump to Notes ] Issue History ] Print ]
ID
0024557
TypeCategorySeverityReproducibilityDate SubmittedLast Update
backport[Openbravo ERP] A. Platformmajorhave not tried2013-08-21 17:462013-08-22 08:16
ReportershuehnerView Statuspublic 
Assigned Toshuehner 
PriorityimmediateResolutionfixedFixed in Version3.0MP25
StatusclosedFix in branch2.50Fixed in SCM revision381dd8af30f9
ProjectionnoneETAnoneTarget Version3.0MP27
OSAnyDatabaseAnyJava version
OS VersionDatabase versionAnt version
Product VersionSCM revision 
Review Assigned ToAugustoMauch
Web browser
ModulesCore
Regression level
Regression date
Regression introduced in release
Regression introduced by commit
Triggers an Emergency PackNo
Summary

0024557: Reconfigure xml-parser used by /ws/dal to disallow referencing external entities

DescriptionThe xerces xml parser used by Openbravo by default allowed referencing external entities defined in the xml-data being parsed by it.

As data processed by the code behind /ws/dal is untrusted by default as it is coming from external sources those features must be disabled.
Steps To Reproducesend an xml document using feature as described above to the xml-webservices.
Proposed SolutionReconfigure xml-parser to disallow those features in the /ws/dal endpoint.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
blocks defect 00245563.0MP27 closedshuehner Reconfigure xml-parser used by /ws/dal to disallow referencing external entities 

-  Notes
(0060721)
hgbot (developer)
2013-08-21 19:34

Repository: erp/stable/2.50
Changeset: 381dd8af30f95a03d3c40672f820317a4dd2ff0b
Author: Stefan Hühner <stefan.huehner <at> openbravo.com>
Date: Wed Aug 21 17:53:54 2013 +0200
URL: http://code.openbravo.com/erp/stable/2.50/rev/381dd8af30f95a03d3c40672f820317a4dd2ff0b [^]

Fixed 24557. Disallow referencing external entities in /ws/dal/
Reconfigure the xml-parser used behind /ws/dal to not accept
external entity references as the xml data is coming from outside
Openbravo.

---
M src/org/openbravo/service/rest/DalWebService.java
---
(0060723)
AugustoMauch (manager)
2013-08-22 08:16

Code reviewed and verified in pi@b975d72dec38

- Issue History
Date Modified Username Field Change
2013-08-21 17:48 shuehner Type defect => backport
2013-08-21 17:48 shuehner fix_in_branch => 2.50
2013-08-21 18:14 shuehner Review Assigned To => AugustoMauch
2013-08-21 19:34 hgbot Checkin
2013-08-21 19:34 hgbot Note Added: 0060721
2013-08-21 19:34 hgbot Status scheduled => resolved
2013-08-21 19:34 hgbot Resolution open => fixed
2013-08-21 19:34 hgbot Fixed in SCM revision => http://code.openbravo.com/erp/stable/2.50/rev/381dd8af30f95a03d3c40672f820317a4dd2ff0b [^]
2013-08-22 08:16 AugustoMauch Note Added: 0060723
2013-08-22 08:16 AugustoMauch Status resolved => closed
2013-08-22 08:16 AugustoMauch Fixed in Version => 3.0MP25


Copyright © 2000 - 2009 MantisBT Group
Powered by Mantis Bugtracker