You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ofbiz.apache.org by jo...@apache.org on 2009/04/10 03:41:52 UTC

svn commit: r763855 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Author: jonesde
Date: Fri Apr 10 01:41:52 2009
New Revision: 763855

URL: http://svn.apache.org/viewvc?rev=763855&view=rev
Log:
A small change to address an issue reported by Angelo Matarazzo when HTTPS is disabled and form data is POSTed; note that deploying so that OFBiz doesn't know if the request is over HTTPS or not is NOT recommended as this DOES open a security vulnerability for XSRF and such when data is POSTed not over HTTPS

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java?rev=763855&r1=763854&r2=763855&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/control/RequestHandler.java Fri Apr 10 01:41:52 2009
@@ -183,7 +183,27 @@
                     Locale locale = UtilHttp.getLocale(request);
                     String errMsg = UtilProperties.getMessage("WebappUiLabels", "requestHandler.InsecureFormPostToSecureRequest", locale);
                     Debug.logError("Got a insecure (non-https) form POST to a secure (http) request [" + requestMap.uri + "], returning error", module);
-                    throw new RequestHandlerException(errMsg);
+
+                    // see if HTTPS is enabled, if not then log a warning instead of throwing an exception
+                    Boolean enableHttps = null;
+                    String webSiteId = WebSiteWorker.getWebSiteId(request);
+                    if (webSiteId != null) {
+                        try {
+                            GenericValue webSite = delegator.findByPrimaryKeyCache("WebSite", UtilMisc.toMap("webSiteId", webSiteId));
+                            if (webSite != null) enableHttps = webSite.getBoolean("enableHttps");
+                        } catch (GenericEntityException e) {
+                            Debug.logWarning(e, "Problems with WebSite entity; using global defaults", module);
+                        }
+                    }
+                    if (enableHttps == null) {
+                        enableHttps = UtilProperties.propertyValueEqualsIgnoreCase("url.properties", "port.https.enabled", "Y");
+                    }
+
+                    if (Boolean.FALSE.equals(enableHttps)) {
+                        Debug.logWarning("HTTPS is disabled for this site, so we can't tell if this was encrypted or not which means if a form was POSTed and it was not over HTTPS we don't know, but it would be vulnerable to an XSRF and other attacks: " + errMsg, module);
+                    } else {
+                        throw new RequestHandlerException(errMsg);
+                    }
                 } else {
                     StringBuilder urlBuf = new StringBuilder();
                     urlBuf.append(request.getPathInfo());