You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2009/04/22 23:42:47 UTC

[jira] Commented: (OFBIZ-2332) searchorders security related error

    [ https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12701694#action_12701694 ] 

Jacques Le Roux commented on OFBIZ-2332:
----------------------------------------

The decision on ML is to rewrite all. More work but certainly the better solution...

> searchorders security related error
> -----------------------------------
>
>                 Key: OFBIZ-2332
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2332
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: order
>    Affects Versions: Release Branch 9.04, SVN trunk
>            Reporter: Jacques Le Roux
>             Fix For: Release Branch 9.04, SVN trunk
>
>
> I found this one in error.log on demo server
> 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file
> 2 cases
> <a href="<@o...@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a>
> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a>
> I will see later, I continue to look at error.log, to see how much we can get from here...
> [ Afficher ยป ]
> Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@o...@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here...

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.