Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0024557 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| backport | [Openbravo ERP] A. Platform | major | have not tried | 2013-08-21 17:46 | 2013-08-22 08:16 | |||
| Reporter | shuehner | View Status | public | |||||
| Assigned To | shuehner | |||||||
| Priority | immediate | Resolution | fixed | Fixed in Version | 3.0MP25 | |||
| Status | closed | Fix in branch | 2.50 | Fixed in SCM revision | 381dd8af30f9 | |||
| Projection | none | ETA | none | Target Version | 3.0MP27 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Merge Request Status | ||||||||
| Review Assigned To | AugustoMauch | |||||||
| OBNetwork customer | No | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Support ticket | ||||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0024557: Reconfigure xml-parser used by /ws/dal to disallow referencing external entities | |||||||
| Description | The xerces xml parser used by Openbravo by default allowed referencing external entities defined in the xml-data being parsed by it. As data processed by the code behind /ws/dal is untrusted by default as it is coming from external sources those features must be disabled. | |||||||
| Steps To Reproduce | send an xml document using feature as described above to the xml-webservices. | |||||||
| Proposed Solution | Reconfigure xml-parser to disallow those features in the /ws/dal endpoint. | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
||||||||
|
||||||||
 Relationships |
|
Notes |
|
|
(0060721) hgbot (developer) 2013-08-21 19:34 |
Repository: erp/stable/2.50 Changeset: 381dd8af30f95a03d3c40672f820317a4dd2ff0b Author: Stefan Hühner <stefan.huehner <at> openbravo.com> Date: Wed Aug 21 17:53:54 2013 +0200 URL: http://code.openbravo.com/erp/stable/2.50/rev/381dd8af30f95a03d3c40672f820317a4dd2ff0b [^] Fixed 24557. Disallow referencing external entities in /ws/dal/ Reconfigure the xml-parser used behind /ws/dal to not accept external entity references as the xml data is coming from outside Openbravo. --- M src/org/openbravo/service/rest/DalWebService.java --- |
|
(0060723) AugustoMauch (administrator) 2013-08-22 08:16 |
Code reviewed and verified in pi@b975d72dec38 |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2013-08-21 17:48 | shuehner | Type | defect => backport |
| 2013-08-21 17:48 | shuehner | fix_in_branch | => 2.50 |
| 2013-08-21 18:14 | shuehner | Review Assigned To | => AugustoMauch |
| 2013-08-21 19:34 | hgbot | Checkin | |
| 2013-08-21 19:34 | hgbot | Note Added: 0060721 | |
| 2013-08-21 19:34 | hgbot | Status | scheduled => resolved |
| 2013-08-21 19:34 | hgbot | Resolution | open => fixed |
| 2013-08-21 19:34 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/stable/2.50/rev/381dd8af30f95a03d3c40672f820317a4dd2ff0b [^] |
| 2013-08-22 08:16 | AugustoMauch | Note Added: 0060723 | |
| 2013-08-22 08:16 | AugustoMauch | Status | resolved => closed |
| 2013-08-22 08:16 | AugustoMauch | Fixed in Version | => 3.0MP25 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |