Applied fix from trunk for revision: 1301866
===
CVE-2012-1621: Removed the Webslinger component and all the framework dependencies on it; the reasons for this
* no active committer was maintaining the webslinger component
* the component was experimental and not really used by OFBiz
* the component was really big (lot of jars etc...) and we are trying to slim down the OFBiz framework and keep only the essential/useful features
* this fixes a security issue reported to the OFBiz PMC
The only Webslinger feature used by the OFBiz framework was the "service debug mode" (enabled by default with the property servicedispatcher.servicedebugmode): I have considered to keep it but it was impossible because it relied on Webslinger legacy code (in the org.webslinger.invoker.* package) that was never contributed as a source file to the OFBiz project; I have tried to review the source file from an external Webslinger repo but I couldn't find them; the only site about Webslinger I could find is this:
http://www.webslinger.org/Downloads
but the svn resources mentioned there are broken. The fact that the OFBiz frameework was dependent (for a feature useful only in development mode) on an external project that doesn't publish its source code (at least in an easy to find location) convinced me that it was better to clean up the dependency completely; on the bright side OFBiz should now use less memory.
|
ofbiz/branches/release10.04/
ofbiz/branches/release10.04/framework/base/config/both-containers.xml