Project:
| View Issue Details[ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
| ID | ||||||||
| 0029157 | ||||||||
| Type | Category | Severity | Reproducibility | Date Submitted | Last Update | |||
| defect | [Openbravo ERP] A. Platform | major | N/A | 2015-03-06 08:38 | 2015-03-09 17:49 | |||
| Reporter | alostale | View Status | public | |||||
| Assigned To | alostale | |||||||
| Priority | urgent | Resolution | fixed | Fixed in Version | 3.0PR15Q2 | |||
| Status | closed | Fix in branch | Fixed in SCM revision | d8ec9347e127 | ||||
| Projection | none | ETA | none | Target Version | 3.0PR15Q2 | |||
| OS | Any | Database | Any | Java version | ||||
| OS Version | Database version | Ant version | ||||||
| Product Version | SCM revision | |||||||
| Review Assigned To | AugustoMauch | |||||||
| Web browser | ||||||||
| Modules | Core | |||||||
| Regression level | ||||||||
| Regression date | ||||||||
| Regression introduced in release | ||||||||
| Regression introduced by commit | ||||||||
| Triggers an Emergency Pack | No | |||||||
| Summary | 0029157: code review issues for Process Definition Reporting Tool project | |||||||
| Description | Reviewing the code of Process Definition Reporting Tool project, it has some parts to fix/improve: * Security: prevent traversal attack. BaseReportActionHandler could be invoked to download any file in the system. Fixed by: - Now it only accepts file name instead of full path, looking for this file in the temporary directory. - File name is parsed to ensure it is a valid generated jasper file name, preventing in this manner downloads of any arbitrary file in the temporary directory. * ReportSemaphoreHandling changes: - Modified to make use of standard java.util.concurrent.Semaphore implementation rather than implementing its own semaphore. - Property to read maximum number of concurrent executions is read on initialization instead of when acquiring. This way acquisition is faster. * When a Jasper report is generated with a virtualizer, it's finally cleaned up. * When downloading a report, temporary file is deleted on a finally block to ensure deletion even on failure. * Changes in javadoc to fix some typos + prevent undocumented parameters. * Defensive coding: when generating/downloading a report, don't assume if type is not pdf then it is xls, but do check all the types and raise an exception in case of unsupported type. * UI: in process definition window, don't show Can Add Records flag for process definitions of type report | |||||||
| Steps To Reproduce | N/A: code review, check description. | |||||||
| Tags | No tags attached. | |||||||
| Attached Files | ||||||||
 Relationships [ Relation Graph ]
[ Dependency Graph ]
|
|||||||||||||||
|
|||||||||||||||
 Relationships |
|
Notes |
|
|
(0075231) hgbot (developer) 2015-03-06 10:48 |
Repository: erp/devel/pi Changeset: d8ec9347e127febd5961acedac70ff0cfe52e5b6 Author: Asier Lostalé <asier.lostale <at> openbravo.com> Date: Fri Mar 06 08:51:40 2015 +0100 URL: http://code.openbravo.com/erp/devel/pi/rev/d8ec9347e127febd5961acedac70ff0cfe52e5b6 [^] fixed issue 29157: code review issues for Process Definition Reporting Tool Fixes include: * Security: prevent traversal attack. BaseReportActionHandler could be invoked to download any file in the system. Fixed by: - Now it only accepts file name instead of full path, looking for this file in the temporary directory. - Filename is parsed to ensure it is a valid generated jasper file name, preventing in this manner downloads of any arbitrary file in the temporary directory. * ReportSemaphoreHandling changes: - Modified to make use of standard java.util.concurrent.Semaphore implementation rather than implementing its own semaphore. - Property to read maximum number of concurrent executions is read on initialization instead of when acquiring. This way acquisition is faster. * When a Jasper report is generated with a virtualizer, it's finally cleaned up. * When downloading a report, temporary file is deleted on a finally block to ensure deletion even on failure. * Changes in javadoc to fix some typos + prevent undocumented parameters. * Defensive coding: when generating/downloading a report, don't assume if type is not pdf then it is xls, but do check all the types and raise an exception in case of unsupported type. * UI: in process definition window, don't show Can Add Records flag for process definitions of type report --- M modules/org.openbravo.client.application/src-db/database/sourcedata/AD_FIELD.xml M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/BaseReportActionHandler.java M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/ReportSemaphoreHandling.java M modules/org.openbravo.client.application/src/org/openbravo/client/application/report/ReportingUtils.java M modules/org.openbravo.client.application/web/org.openbravo.client.application/js/utilities/ob-utilities-action-def.js --- |
|
(0075299) AugustoMauch (administrator) 2015-03-09 11:00 |
Code reviewed and verified in pi@b9fc7e8e60ae |
|
(0075330) hudsonbot (developer) 2015-03-09 17:49 |
A changeset related to this issue has been promoted main and to the Central Repository, after passing a series of tests. Promotion changeset: https://code.openbravo.com/erp/devel/main/rev/ef8a16dd11b3 [^] Maturity status: Test |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2015-03-06 08:38 | alostale | New Issue | |
| 2015-03-06 08:38 | alostale | Assigned To | => alostale |
| 2015-03-06 08:38 | alostale | Modules | => Core |
| 2015-03-06 08:38 | alostale | Triggers an Emergency Pack | => No |
| 2015-03-06 08:38 | alostale | Relationship added | related to 0026763 |
| 2015-03-06 08:46 | alostale | Description Updated | View Revisions |
| 2015-03-06 10:48 | hgbot | Checkin | |
| 2015-03-06 10:48 | hgbot | Note Added: 0075231 | |
| 2015-03-06 10:48 | hgbot | Status | new => resolved |
| 2015-03-06 10:48 | hgbot | Resolution | open => fixed |
| 2015-03-06 10:48 | hgbot | Fixed in SCM revision | => http://code.openbravo.com/erp/devel/pi/rev/d8ec9347e127febd5961acedac70ff0cfe52e5b6 [^] |
| 2015-03-09 09:29 | alostale | Review Assigned To | => AugustoMauch |
| 2015-03-09 11:00 | AugustoMauch | Note Added: 0075299 | |
| 2015-03-09 11:00 | AugustoMauch | Status | resolved => closed |
| 2015-03-09 11:00 | AugustoMauch | Fixed in Version | => 3.0PR15Q2 |
| 2015-03-09 17:49 | hudsonbot | Checkin | |
| 2015-03-09 17:49 | hudsonbot | Note Added: 0075330 | |
| 2015-03-30 10:45 | alostale | Relationship added | causes 0029441 |
|
Issue History |
| Copyright © 2000 - 2009 MantisBT Group |
 |