OFBiz OFBiz - Commits

svn commit: r889040 - in /ofbiz/trunk: applications/content/src/org/ofbiz/content/survey/ applications/order/src/org/ofbiz/order/shoppingcart/ applications/order/webapp/ordermgr/WEB-INF/ applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/...

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
lektran
Reply | Threaded
Open this post in threaded view
|

svn commit: r889040 - in /ofbiz/trunk: applications/content/src/org/ofbiz/content/survey/ applications/order/src/org/ofbiz/order/shoppingcart/ applications/order/webapp/ordermgr/WEB-INF/ applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/...

lektran
Author: lektran
Date: Thu Dec 10 00:53:47 2009
New Revision: 889040

URL: http://svn.apache.org/viewvc?rev=889040&view=rev
Log:
Reverted previous temporary security fix for request parameters being directly inserted into survey forms and changed all SurveyWrapper instances using this method to instead store the parameter map in the session temporarily.

Modified:
    ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
    ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
    ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
    ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml
    ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
    ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml

Modified: ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java (original)
+++ ofbiz/trunk/applications/content/src/org/ofbiz/content/survey/SurveyWrapper.java Thu Dec 10 00:53:47 2009
@@ -101,13 +101,10 @@
      * @param passThru
      */
     public void setPassThru(Map passThru) {
-        /* Creates an XSS vulnerability, by passing incoming parameters straight back out to the browser
-         * commented until someone decides either cleanse the parameters or find an alternative solution
         if (passThru != null) {
             this.passThru = FastMap.newInstance();
             this.passThru.putAll(passThru);
         }
-        */
     }
 
     /**

Modified: ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java (original)
+++ ofbiz/trunk/applications/order/src/org/ofbiz/order/shoppingcart/ShoppingCartEvents.java Thu Dec 10 00:53:47 2009
@@ -464,7 +464,8 @@
                 if (surveyResponseId != null) {
                     surveyResponses = UtilMisc.toList(surveyResponseId);
                 } else {
-                    Map surveyContext = UtilHttp.getParameterMap(request);
+                    String origParamMapId = UtilHttp.stashParameterMap(request);
+                    Map<String, Object> surveyContext = UtilMisc.<String, Object>toMap("_ORIG_PARAM_MAP_ID_", origParamMapId);
                     GenericValue userLogin = cart.getUserLogin();
                     String partyId = null;
                     if (userLogin != null) {

Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy (original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/actions/entry/catalog/ProductDetail.groovy Thu Dec 10 00:53:47 2009
@@ -150,7 +150,8 @@
     productSurvey = ProductStoreWorker.getProductSurveys(delegator, productStoreId, productId, "CART_ADD");
     if (productSurvey) {
         survey = EntityUtil.getFirst(productSurvey);
-        surveyContext = UtilHttp.getParameterMap(request);
+        origParamMapId = UtilHttp.stashParameterMap(request);
+        surveyContext = ["_ORIG_PARAM_MAP_ID_" : origParamMapId];
         surveyPartyId = userLogin?.partyId;
         wrapper = new ProductStoreSurveyWrapper(survey, surveyPartyId, surveyContext);
         context.surveyWrapper = wrapper;

Modified: ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml (original)
+++ ofbiz/trunk/applications/order/webapp/ordermgr/WEB-INF/controller.xml Thu Dec 10 00:53:47 2009
@@ -428,7 +428,7 @@
     </request-map>
     <request-map uri="additemsurvey">
         <security https="true" auth="true"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="request" value="additem"/>
         <response name="error" type="request" value="orderentry"/>
     </request-map>
@@ -528,7 +528,7 @@
     </request-map>
     <request-map uri="addGiftCertificateSurvey">
         <security https="true" auth="false"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="request" value="additem"/>
         <response name="error" type="view" value="AddGiftCertificate"/>
     </request-map>

Modified: ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java (original)
+++ ofbiz/trunk/applications/product/src/org/ofbiz/product/store/ProductStoreWorker.java Thu Dec 10 00:53:47 2009
@@ -421,9 +421,9 @@
         return returnShippingMethods;
     }
 
-    public static ProductStoreSurveyWrapper getRandomSurveyWrapper(ServletRequest request, String groupName) {
+    public static ProductStoreSurveyWrapper getRandomSurveyWrapper(HttpServletRequest request, String groupName) {
         GenericValue productStore = getProductStore(request);
-        HttpSession session = ((HttpServletRequest)request).getSession();
+        HttpSession session = request.getSession();
         if (productStore == null) {
             return null;
         }
@@ -434,7 +434,8 @@
         }
 
         String partyId = userLogin != null ? userLogin.getString("partyId") : null;
-        Map<String, Object> passThruFields = UtilHttp.getParameterMap(((HttpServletRequest)request));
+        String origParamMapId = UtilHttp.stashParameterMap(request);
+        Map<String, Object> passThruFields = UtilMisc.<String, Object>toMap("_ORIG_PARAM_MAP_ID_", origParamMapId);
 
         return getRandomSurveyWrapper(productStore.getDelegator(), productStore.getString("productStoreId"), groupName, partyId, passThruFields);
     }

Modified: ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml
URL: http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml?rev=889040&r1=889039&r2=889040&view=diff
==============================================================================
--- ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml (original)
+++ ofbiz/trunk/specialpurpose/ecommerce/webapp/ecommerce/WEB-INF/controller.xml Thu Dec 10 00:53:47 2009
@@ -247,7 +247,7 @@
 
     <request-map uri="additemsurvey">
         <security https="false" auth="false"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="request" value="additem"/>
         <response name="error" type="view" value="main"/>
     </request-map>
@@ -1245,13 +1245,13 @@
     </request-map>
     <request-map uri="profilesurvey">
         <security https="true" auth="true"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="view" value="profilesurvey"/>
         <response name="error" type="view" value="profilesurvey"/>
     </request-map>
     <request-map uri="minipoll">
         <security https="false" auth="false"/>
-        <event type="service" invoke="createSurveyResponse"/>
+        <event type="java" invoke="createSurveyResponseAndRestoreParameters" path="org.ofbiz.content.survey.SurveyEvents"/>
         <response name="success" type="view" value="main"/>
         <response name="error" type="view" value="main"/>
     </request-map>


Free forum by Nabble Edit this page