[OFBIZ-11593] "entity/list" request is not handled well - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: Trunk
Fix Version/s: None
Component/s: framework/webtools
Labels:
None

Description

The "entity/list" request has been put in with ~~OFBIZ-11007~~. It's used to call the entitymaint view and so is a demo/didactic duplicate of entitymaint request. It's only used in FindGeneric screen (look for the WebtoolsBackToEntityList label). It's problematic because since the CSRF token defense was put in you can no longer filter the entities from the entities list screen, even when the default NoCsrfDefenseStrategy is used. It works if you use the entitymaint request instead.

Anyway, 2020-01-19 I proposed in ~~OFBIZ-11306~~ a solution for such cases. It was not used because 2020-02-14 I thought it was no longer needed, but it's necessary for this case, and maybe others not already detected:

         if (pathInfo.get(0).indexOf('?') > -1) {
             return pathInfo.get(0).substring(0, pathInfo.get(0).indexOf('?'));
         } else {
-            return pathInfo.get(0);
+            if (1 < StringUtils.countMatches(path, "/")) {
+                return pathInfo.get(0) + "/" + pathInfo.get(1);
+            } else {
+                return pathInfo.get(0);
+            }

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

image-2020-04-28-14-22-36-940.png
28/Apr/20 08:52
20 kB
Rohit Koushal

Issue Links

is broken by

OFBIZ-11306 POC for CSRF Token (CVE-2019-0235)

Closed

Activity

People

Assignee:: Jacques Le Roux

Reporter:: Jacques Le Roux

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 12/Apr/20 11:14

Updated:: 11/Jan/22 09:36

Resolved:: 29/Apr/20 10:47