[MGNLUI-3928] Security Problem Sample-App: Allows cross site scripting Created: 30/Jun/16 Updated: 18/Jul/16 Resolved: 15/Jul/16 |
|
| Status: | Closed |
| Project: | Magnolia UI |
| Component/s: | None |
| Affects Version/s: | 5.3.14, 5.4.7 |
| Fix Version/s: | 5.3.16, 5.4.8 |
| Type: | Bug | Priority: | Major |
| Reporter: | Christian Ringele | Assignee: | Antonín Juran |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | support | ||
| Remaining Estimate: | 0d | ||
| Time Spent: | 20m | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Template: |
|
||||
| Acceptance criteria: |
Empty
|
||||
| Task DoD: |
[ ]*
Doc/release notes changes? Comment present?
[ ]*
Downstream builds green?
[ ]*
Solution information and context easily available?
[ ]*
Tests
[ ]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
|
||||
| Bug DoR: |
[ ]*
Steps to reproduce, expected, and actual results filled
[ ]*
Affected version filled
|
||||
| Sprint: | Kromeriz 52 | ||||
| Story Points: | 1 | ||||
| Description |
|
Try this on calling the sample app: As the sample-app is not product critical, the workaround is simple: Excluding it: <dependency> <groupId>info.magnolia.sample</groupId> <artifactId>magnolia-sample-app</artifactId> </dependency> And is bundled via the ui project:
<dependency>
<groupId>info.magnolia.ui</groupId>
<artifactId>magnolia-ui-project</artifactId>
</dependency>
And in the end added/bundled into the webapp vie the enterprise webapp:
<dependency>
<!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. -->
<groupId>info.magnolia.eebundle</groupId>
<artifactId>magnolia-enterprise-webapp</artifactId>
<type>war</type>
</dependency>
<dependency>
<!-- Using the imported 'dependencyManagement' from the parent pom -->
<groupId>info.magnolia.eebundle</groupId>
<artifactId>magnolia-enterprise-webapp</artifactId>
<type>pom</type>
</dependency>
How to get rid of it: In the project's webapp pom:
dependency>
<!-- Used for the Maven war:overlay -> defines the WAR's structure, the configs, web.xml etc. -->
<groupId>info.magnolia.eebundle</groupId>
<artifactId>magnolia-enterprise-webapp</artifactId>
<type>war</type>
<exclusions>
<exclusion>
<groupId>info.magnolia.sample</groupId>
<artifactId>magnolia-sample-app</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>
<!-- Using the imported 'dependencyManagement' from the parent pom -->
<groupId>info.magnolia.eebundle</groupId>
<artifactId>magnolia-enterprise-webapp</artifactId>
<type>pom</type>
<exclusions>
<exclusion>
<groupId>info.magnolia.sample</groupId>
<artifactId>magnolia-sample-app</artifactId>
</exclusion>
</exclusions>
</dependency>
If you have added explicit the ui project in the webapps pom, you need to exclude the sample-app artefact also in the UI dependency. In a live system where its already installed:
|
| Comments |
| Comment by Christian Ringele [ 30/Jun/16 ] |
|
Support criteria ranking: |