Fixes Issue 0025023: Security problem on the alert window
authorShankar Balachandran <shankar.balachandran@openbravo.com>
Mon, 27 Jan 2014 14:44:00 +0530
changeset 21871 fcc10a50bab6
parent 21870 a990b760487b
child 21872 7b4ae1da74cb
Fixes Issue 0025023: Security problem on the alert window

Allow only read only transactions when executing alerts.
src/org/openbravo/erpCommon/ad_callouts/SL_AlertRule_SQL.java
src/org/openbravo/erpCommon/ad_process/AlertProcess.java
--- a/src/org/openbravo/erpCommon/ad_callouts/SL_AlertRule_SQL.java	Mon Jan 27 12:34:47 2014 +0530
+++ b/src/org/openbravo/erpCommon/ad_callouts/SL_AlertRule_SQL.java	Mon Jan 27 14:44:00 2014 +0530
@@ -11,7 +11,7 @@
  * under the License. 
  * The Original Code is Openbravo ERP. 
  * The Initial Developer of the Original Code is Openbravo SLU 
- * All portions are Copyright (C) 2001-2010 Openbravo SLU 
+ * All portions are Copyright (C) 2001-2014 Openbravo SLU 
  * All Rights Reserved. 
  * Contributor(s):  ______________________________________.
  ************************************************************************
@@ -33,6 +33,7 @@
 import org.openbravo.base.secureApp.HttpSecureAppServlet;
 import org.openbravo.base.secureApp.VariablesSecureApp;
 import org.openbravo.erpCommon.utility.Utility;
+import org.openbravo.exception.NoConnectionAvailableException;
 import org.openbravo.utils.FormatUtilities;
 import org.openbravo.xmlEngine.XmlDocument;
 
@@ -82,6 +83,7 @@
       ResultSet result = null;
       PreparedStatement st = null;
       try {
+        this.getConnection().setReadOnly(true);
         st = this.getPreparedStatement(strSQL);
         result = st.executeQuery();
         ResultSetMetaData rmeta = result.getMetaData();
@@ -115,11 +117,14 @@
         msg = "error in query: " + FormatUtilities.replaceJS(ex.toString());
       } finally {
         try {
+          this.getConnection().setReadOnly(false);
           if (result != null) {
             result.close();
           }
         } catch (SQLException e) {
           e.printStackTrace();
+        } catch (NoConnectionAvailableException e) {
+          e.printStackTrace();
         }
         try {
           this.releasePreparedStatement(st);
--- a/src/org/openbravo/erpCommon/ad_process/AlertProcess.java	Mon Jan 27 12:34:47 2014 +0530
+++ b/src/org/openbravo/erpCommon/ad_process/AlertProcess.java	Mon Jan 27 14:44:00 2014 +0530
@@ -111,6 +111,7 @@
     PreparedStatement st = null;
 
     try {
+      connectionProvider.getConnection().setReadOnly(true);
       st = connectionProvider.getPreparedStatement(strSql);
       st.setString(1, alertRuleId);
       result = st.executeQuery();
@@ -141,6 +142,7 @@
       throw new ServletException("@CODE=@" + ex.getMessage());
     } finally {
       try {
+        connectionProvider.getConnection().setReadOnly(false);
         connectionProvider.releasePreparedStatement(st);
       } catch (Exception ignore) {
         ignore.printStackTrace();