Openfire (master)

• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 844ab7605fb54f2e8488f7a3e1d30178bc49affd

  Merge pull request #1438 from GregDThomas/OF-1821
  OF-1821: Ensure that the ldap.pagedResultsSize is automatically set for ActiveDirectory
• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 96652b038a82f72b1bfb92a174f2fcff40036ddb

  Merge pull request #1431 from cpetzka/add_intellij_runtime_configuration
  add debug instruction for IntelliJ IDEA to the README.md
• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 2e1461a2d4a3bf21e69b8dc4644d155c7d80410c

  Merge pull request #1430 from cpetzka/update_german_i18n_file
  OF-1819 update the german translation
• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 df3f5e7dcb7cb444d699e9166fa2339523304722

  Merge pull request #1436 from cpetzka/fix_can_not_insert_null_into_propvalue_under_oracle_db
  OF-1828 Fix that an empty string can not be inserted in ofgroupporp.propvalue
• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 8b4e42c45c386d9578fe6a8624746c514210706b

  Merge pull request #1440 from guusdk/OF-1021_plugin-upload-file_extensions
  OF-1021: Additional checks on (uploaded) plugin files
• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 04cbd2b801d1fd92238deb64820aeb623b77afcb

  Merge pull request #1441 from guusdk/OF-1192_Reflected-XSS-setup
  OF-1192: Fixes Reflected XSS in LDAP Setup test
• 

  daryl herzmann <akrherz@iastate.edu> 07 Aug 2019 d0382549599586b238ca6df2a39a2dbe8bb0f1bc

  Merge pull request #1439 from GregDThomas/OF-1820
  OF-1820: Ensure that groups are sorted
• 

  Guus der Kinderen 05 Aug 2019 4a82a0e2219a71af8f0c5a7f528426170e345b2b m

  OF-1192: Fixes Reflected XSS in LDAP Setup test
  The testing page for checking a a particular user (that's configured to be an Openfire admin) can be retrieved from LDAP contained an XSS vulnerability. This commit fixes that.
  
  Many thanks to Luke Arntson for finding and reporting this issue.

  • xmppserver/src/main/webapp/setup/setup-admin-settings.jsp (version 4a82a0e2219a71af8f0c5a7f528426170e345b2b)
  • xmppserver/src/main/webapp/setup/setup-admin-settings_test.jsp (version 4a82a0e2219a71af8f0c5a7f528426170e345b2b)
• 

  Guus der Kinderen 05 Aug 2019 28972842d1d4147e018959d790dd1e9d22a540c7 m

  OF-1021: Verify magic bytes of uploaded plugins
  Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.
  
  To further guard against malicous files being uploaded, this commit verifies the magic bytes (the first few bytes) of the uploaded file.
  
  The new functionality is controlled by two new properties:
  - plugins.upload.magic-number-check.enabled A boolean value that enables or disables the check (defaults to true).
  - plugins.upload.magic-number.values.expected-value A list of hex representations of valid magic byte sequences (defaults to "504B0304", "504B0506", "504B0708").

  • i18n/src/main/resources/openfire_i18n.properties (version 28972842d1d4147e018959d790dd1e9d22a540c7)
  • xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version 28972842d1d4147e018959d790dd1e9d22a540c7)
  • xmppserver/src/test/java/org/jivesoftware/openfire/container/PluginManagerTest.java (version 28972842d1d4147e018959d790dd1e9d22a540c7)
  • xmppserver/src/test/resources/hello.jar (version 28972842d1d4147e018959d790dd1e9d22a540c7)
• 

  Guus der Kinderen 05 Aug 2019 368db057c0a33b65598c77dc7f8eea8bef1d5c11 m

  OF-1021: Verify JAR content
  Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.
  
  To further guard against malicous files being uploaded, this commit verifies that the uploaded JAR file contains a 'plugin.xml' entry.
  
  The new functionality is controlled by two new properties:
  - plugins.upload.pluginxml-check.enabled A boolean value that enables or disables the check (defaults to true).

  • i18n/src/main/resources/openfire_i18n.properties (version 368db057c0a33b65598c77dc7f8eea8bef1d5c11)
  • xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version 368db057c0a33b65598c77dc7f8eea8bef1d5c11)
• 

  Guus der Kinderen 05 Aug 2019 f1a8ec1f641117c0570e0d6471f63828bc419394 m

  Fixed logged messages.

  • xmppserver/src/main/java/org/jivesoftware/openfire/container/PluginManager.java (version f1a8ec1f641117c0570e0d6471f63828bc419394)
• 

  Guus der Kinderen 05 Aug 2019 72cf4bf6dd5ea7df2ad4f60b8587b4cfcc579d63 m

  OF-1021: Verify content type of uploaded plugins
  Commit 9c62dbf599f266bde214c5a68a004708edc7da48 adds code that removes uploaded files that cannot be parsed as JAR files.
  
  To further guard against malicous files being uploaded, this commit adds functionality to allow to verify the content type, as specified by the browser, of the uploaded file.
  
  As a potential attacker is likely to be able to modify the reported content type. The added security value of this change is therefor not very signification. By default, this functionality is therefor disabled, to prevent valid use cased from being stopped by this.
  
  The new functionality is controlled by two new properties:
  - plugins.upload.content-type-check.enabled A boolean value that enables or disables the check (defaults to false).
  - plugins.upload.content-type-check.expected-value Text value that is the expected content type (defaults to application/x-java-archive).

  • xmppserver/src/main/webapp/plugin-admin.jsp (version 72cf4bf6dd5ea7df2ad4f60b8587b4cfcc579d63)
• 

  Greg Thomas <greg.d.thomas@gmail.com> 04 Aug 2019 ef1c1efe68b5652901d964a7e4817bd33db0479f m

  OF-1820: Ensure that groups are sorted

  • xmppserver/src/main/webapp/group-edit.jsp (version ef1c1efe68b5652901d964a7e4817bd33db0479f)
• 

  Greg Thomas <greg.d.thomas@gmail.com> 04 Aug 2019 a32129a18a0233289bd94590958cb3833aef36b4 m

  OF-1821: Ensure that the ldap.pagedResultsSize is automatically set for ActiveDirectory.

  • i18n/src/main/resources/openfire_i18n.properties (version a32129a18a0233289bd94590958cb3833aef36b4)
  • xmppserver/src/main/java/org/jivesoftware/openfire/ldap/LdapManager.java (version a32129a18a0233289bd94590958cb3833aef36b4)
  • xmppserver/src/main/webapp/setup/ldap-user.jspf (version a32129a18a0233289bd94590958cb3833aef36b4)
  • xmppserver/src/test/java/org/jivesoftware/util/LDAPTest.java (version a32129a18a0233289bd94590958cb3833aef36b4)
• 

  cpetzka <31418387+cpetzka@users.noreply.github.com> 02 Aug 2019 30ad0068207e1fdc8ad62b6756bfb87a83d23d7c m

  Fix that an empty string can not be inserted in ofgroupporp.propvalue

  • distribution/src/database/openfire_oracle.sql (version 30ad0068207e1fdc8ad62b6756bfb87a83d23d7c)
• 

  cpetzka <31418387+cpetzka@users.noreply.github.com> 31 Jul 2019 577448edfa2e8f8b2abd9d27fa5b46ff9a2bb2a3 m

  add debug instruction for IntelliJ IDEA to the README.md

  • README.md (version 577448edfa2e8f8b2abd9d27fa5b46ff9a2bb2a3)
• 

  cpetzka <31418387+cpetzka@users.noreply.github.com> 30 Jul 2019 337c4dca886b03bbe157dc54db36a414cfd57827 m

  update the german translation

  • i18n/src/main/resources/openfire_i18n_de.properties (version 337c4dca886b03bbe157dc54db36a414cfd57827)