Broadleaf 3.1.13-GA

Released on March 31, 2015

This version of Broadleaf was an emergency patch release in order to plug a security hole present in 3.1.12-GA and below. Before this release, a malicious admin user could hijack the login of another admin user using reset password tokens. This was the extent of the vulnerability and Customer (frontend) logins has had this security from the beginning and did not require a patch.

We strongly recommend an immediate upgrade to this version of Broadleaf 3.1, especially if you have built up and are utilizing robust security permissions and many users in the admin.

Other fixes are included around bundle generation and a potential for order locking to break with multiple invocations of the CartStateFilter.

Enterprise Dependency

If you are targeting a 1.0 version of Broadleaf Enterprise you will also need to update to version 1.0.4-GA.

Community Contributions

Part of what makes Broadleaf run is our community involvement. Special thanks to the following people that helped out with contributing pull requests and/or filing and testing defects:

smmckay

An at-a-glance view of the issues that were closed in this release:

Critical Bugs(3)

• Improve forgot password token security in Broadleaf Admin
• Resource bundling generates bundles into the final store via the FileService but always looks up via the temporary directory
• CartStateFilter called multiple times in a request breaks order locks

Major Bugs(4)

• Media subclasses causing error on save of Product in Admin
• Empty Integer System Property causes NumberFormatException
• Illegal characters in Solr queries throwing exceptions
• Password validator is being run when an AdminUser is associated with another (custom) entity (e.g. ManyToMany) relationship via the admin

Minor Bugs(4)

• GoogleUniversalAnalyticsProcessor references Jetty Logging API
• Uploaded images in the admin do not have the admin context on the URL
• When adding a product to a category, if you click the product multiple times, you end up with multiple add operations on the server
• Calling getArchived() on entities implementing Status causes an unwanted persistence update

Total Resolved Issues: 11