You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (Jira)" <ji...@apache.org> on 2019/11/02 08:29:00 UTC

[jira] [Commented] (OFBIZ-9804) Link in verification email for Newsletter gives security error

    [ https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16965273#comment-16965273 ] 

Jacques Le Roux commented on OFBIZ-9804:
----------------------------------------

Actually, I'll keep it simple and will smply change ContactListEmailTemplate.ftl to also use GET. Because we dont' want a form to ask, but only to hide parameters. Doing so I found that baseEcommerceSecureUrl does not work in ecomseo. I have created OFBIZ-11267 for that.

> Link in verification email for Newsletter gives security error
> --------------------------------------------------------------
>
>                 Key: OFBIZ-9804
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9804
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: ecommerce
>    Affects Versions: Trunk, Release Branch 16.11
>            Reporter: Aditya Sharma
>            Assignee: Jacques Le Roux
>            Priority: Major
>         Attachments: screenshot-1.png
>
>
> Steps to generate:
> 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
> 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter, provide email and click on subscribe button.(Here you should have email configuration to receive email)
> 3.  Click on the verification link in the email.
> It gives following error message
> {quote}The Following Errors Occurred:
> Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException: Found URL parameter [contactListId] passed to secure (https) request-map with uri [updateContactListPartyNoUserLogin] with an event that calls service [updateContactListPartyNoUserLogin]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices Thank you in advance for your help.{quote}
> Try with the trunk link:
> https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010
> Stable 16 link:
> https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010



--
This message was sent by Atlassian Jira
(v8.3.4#803005)