You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jl...@apache.org on 2009/04/23 00:02:28 UTC
svn commit: r767688 -
/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
Author: jleroux
Date: Wed Apr 22 22:02:27 2009
New Revision: 767688
URL: http://svn.apache.org/viewvc?rev=767688&view=rev
Log:
As suggested on dev ML, a message with more information to track unsecured URLs in Freemarker Templates
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=767688&r1=767687&r2=767688&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Wed Apr 22 22:02:27 2009
@@ -389,18 +389,26 @@
if (Debug.verboseOn()) Debug.logVerbose("[Event Return]: " + responseString, module);
return responseString;
}
-
+
public static void checkSecureParameter(RequestMap requestMap, Set<String> urlOnlyParameterNames, String name, HttpSession session, String serviceName) throws EventHandlerException {
// special case for security: if this is a request-map defined as secure in controller.xml then only accept body parameters coming in, ie don't allow the insecure URL parameters
// NOTE: the RequestHandler will check the HttpSerletRequest security to make sure it is secure if the request-map -> security -> https=true, but we can't just look at the request.isSecure() method here because it is allowed to send secure requests for request-map with https=false
if (requestMap != null && requestMap.securityHttps) {
if (urlOnlyParameterNames.contains(name)) {
- String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri [" + requestMap.uri + "] with an event that calls service [" + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.";
+ String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri ["
+ + requestMap.uri + "] with an event that calls service ["
+ + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body "
+ + "(a form field) instead of the request URL."
+ + "\n\nMoreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 "
+ + "\n(check before if a sub-task for this error does not exist)."
+ + "\nIf you are not sure how to create a Jira issue "
+ + "please have a look before at http://docs.ofbiz.org/x/r."
+ + "\nThank you in advance for your help.";
Debug.logError("=============== " + errMsg + "; In session [" + session.getId() + "]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file", module);
-
+
// the default here is true, so anything but N/n is true
boolean requireEncryptedServiceWebParameters = !UtilProperties.propertyValueEqualsIgnoreCase("url.properties", "service.http.parameters.require.encrypted", "N");
-
+
// NOTE: this forces service call event parameters to be in the body and not in the URL! can be issues with existing links, like Delete links or whatever, and those need to be changed to forms!
if (requireEncryptedServiceWebParameters) {
throw new EventHandlerException(errMsg);