Fixed: Disable the Birt component in all branches (including trunk) because of CVE-2022-25371 (OFBIZ-12824)
See https://lists.apache.org/thread/bvp3sczqq863lxr1wh7wjvdtjbkcwspq
No patches were provided because only 18.12.06 was concerned so far
diff --git a/birt/ofbiz-component.xml b/birt/ofbiz-component.xml
index 5e58dec..7780467 100644
--- a/birt/ofbiz-component.xml
+++ b/birt/ofbiz-component.xml
@@ -18,7 +18,11 @@
under the License.
-->
-<ofbiz-component name="birt" enabled="true"
+<!--
+ Warning: before you enable this component please read:
+https://cwiki.apache.org/confluence/display/OFBIZ/Using+BIRT+with+OFBiz
+-->
+<ofbiz-component name="birt" enabled="false"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://ofbiz.apache.org/dtds/ofbiz-component.xsd">
<resource-loader name="main" type="component"/>
@@ -40,7 +44,7 @@
<entity-resource type="model" reader-name="main" loader="main" location="entitydef/ServiceReportsView.xml"/>
<service-resource type="model" loader="main" location="servicedef/services.xml"/>
-
+
<!-- this overrides the accounting, facility and order applications in order to use Birt in these applications -->
<webapp name="accounting"
title="Accounting"
diff --git a/birt/src/docs/asciidoc/birt.adoc b/birt/src/docs/asciidoc/birt.adoc
index 8c34747..b5851b5 100644
--- a/birt/src/docs/asciidoc/birt.adoc
+++ b/birt/src/docs/asciidoc/birt.adoc
@@ -18,6 +18,13 @@
////
= Birt OFBiz® plugin
The Apache OFBiz Project
+
+[CAUTION]
+====
+By default the Birt plugin is disabled for security reason, see the Birt ofbiz-component.xml file for more info.
+
+====
+
ifdef::backend-pdf[]
:title-logo-image: image::images/OFBiz-Logo.svg[Apache OFBiz Logo, pdfwidth=4.25in, align=center]
:source-highlighter: rouge
