svn commit: r751510 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Sun, 08 Mar 2009 12:48:22 -0700 

Author: jonesde
Date: Sun Mar  8 19:48:00 2009
New Revision: 751510

URL: http://svn.apache.org/viewvc?rev=751510&view=rev
Log:
Added comment about GET vs POST in this case; all requests that have events 
that call services should use POST with body parameters

Modified:
    
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Modified: 
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: 
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=751510&r1=751509&r2=751510&view=diff
==============================================================================
--- 
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
 (original)
+++ 
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
 Sun Mar  8 19:48:00 2009
@@ -41,6 +41,7 @@
 import org.apache.commons.fileupload.disk.DiskFileItemFactory;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
 import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilGenerics;
 import org.ofbiz.base.util.UtilHttp;
 import org.ofbiz.base.util.UtilProperties;
 import org.ofbiz.base.util.UtilValidate;
@@ -164,7 +165,7 @@
 
             List<FileItem> uploadedItems = null;
             try {
-                uploadedItems = upload.parseRequest(request);
+                uploadedItems = 
UtilGenerics.<FileItem>checkList(upload.parseRequest(request));
             } catch (FileUploadException e) {
                 throw new EventHandlerException("Problems reading uploaded 
data", e);
             }
@@ -270,7 +271,8 @@
                             Debug.logWarning(errMsg, module);
                             throw new EventHandlerException(errMsg);
                         }
-                        // TODO: may want to allow parameters that map to 
entity PK fields to be in the URL, but that might be a big security hole since 
there are certain security sensitive entities that are made of only PK fields, 
or that only need PK fields to function (like UserLoginSecurityGroup)
+                        // NOTTODO: may want to allow parameters that map to 
entity PK fields to be in the URL, but that might be a big security hole since 
there are certain security sensitive entities that are made of only PK fields, 
or that only need PK fields to function (like UserLoginSecurityGroup)
+                        // NOTTODO: we could allow URL parameters when it is 
not a POST (ie when !request.getMethod().equalsIgnoreCase("POST")), but that 
would open a security hole where sensitive parameters can be passed on the URL 
in a GET/etc and bypass this security constraint
                     }
                     
                     // use the rawParametersMap from UtilHttp in order to also 
get pathInfo parameters, do canonicalization, etc

Reply via email to