[jira] Commented: (OFBIZ-2260) Secure URLs in Freemarker templates files

Mon, 20 Apr 2009 12:10:11 -0700 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12700894#action_12700894
 ] 

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

I found this one in error.log on demo server 

2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] 
=============== Found URL parameter [partyId] passed to secure (https) 
request-map with uri [searchorders] with an event that calls service 
[findOrders]; this is not allowed for security reasons! The data should be 
encrypted by making it part of the request body (a form field) instead of the 
request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that 
this can be changed using the service.http.parameters.require.encrypted 
property in the url.properties file

2 cases
<a 
href="<@ofbizUrl>/searchorders?lookupFlag=Y&amp;hideFields=Y&amp;partyId=${partyId}&amp;viewIndex=1&amp;viewSize=20</@ofbizUrl>"
 class="buttontext">${uiLabelMap.OrderOtherOrders}</a>

<a 
href="/ordermgr/control/searchorders?lookupFlag=Y&amp;hideFields=Y&amp;partyId=${partyRow.partyId
 + 
externalKeyParam}&amp;viewIndex=1&amp;viewSize=20">${uiLabelMap.OrderOrders}</a>

I will see later, I continue to look at error.log, to see how much we can get 
from here...

> Secure URLs in Freemarker templates files
> -----------------------------------------
>
>                 Key: OFBIZ-2260
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-2260
>             Project: OFBiz
>          Issue Type: Improvement
>          Components: ALL COMPONENTS
>    Affects Versions: Release Branch 4.0, Release Branch 9.04
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>             Fix For: Release Branch 4.0, Release Branch 9.04
>
>         Attachments: EditCustomTimePeriod.ftl.patch, 
> EditProductFeatures.ftl.patch, listPortalPortlets.patch, OFBIZ-2256.patch, 
> OFBIZ-2260.patch, OFBIZ-2260.patch, orderitems.patch, UpdateLabelsFiles.patch
>
>
> Follow OFBIZ-2256 but for FTL files only

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to