Hi Ashish,
For the moment I did not find enough time to look seriously at this. So only manual changes are use for now. I hope to have a look
at this next week
Jacques
From: "Ashish Nagar" <ashish.na...@hotwaxmedia.com>
Thanks Jacques,
https://issues.apache.org/jira/browse/OFBIZ-2260 was really getting
messed up with every new reported issue. Idea of creating new subtasks
for each reported bug is good to persist. But I am concerned about,
there may be a lot occurrences of these issues, so fixing each
individual of these by hand (immediate solution) will be a hard work.
Could there be some way to automate this task?
Regards,
--
Ashish Nagar
Jacques Le Roux wrote:
I have closed https://issues.apache.org/jira/browse/OFBIZ-2260 which
were ending as a mess and opened a Jira task with already 3
sub-tasks (taken from OFBIZ-2260)
There are also some exceptions like we found in the widget part
(strings with dynamic params names and value), see for instance
OFBIZ-2332.
So at this stage we are caught, we don't accept such URLs but there
are hard to change. And unfortunately this scheme is pretty
often used
6 ${paramString}</@ofbizUrl>"
26 ${paramList}</@ofbizUrl>"
4 ${parameters.targetRequestUri}</@ofbizUrl>"
I'm not sure there are no other cases.
I believe we should think about a solution for all these exceptions...
Maybe rewriting upstream as David already suggested.
Also, in order to get more feedbacks, I'd like to add
"Moreover it would be kind if you could create a Jira sub-task of
https://issues.apache.org/jira/browse/OFBIZ-2330 (check before
if a sub-task for this error does not exist). If you are not sure how
to create a Jira issue please have a look before at
http://docs.ofbiz.org/x/r. Thank you in advance for your help"
at the end of the current error message which is something like
Found URL parameter [partyId] passed to secure (https) request-map
with uri [searchorders] with an event that calls service
[findOrders]; this is not allowed for security reasons! The data
should be encrypted by making it part of the request body (a form
field) instead of the request URL.; In session
[DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed
using the
service.http.parameters.require.encrypted property in the
url.properties file
What do you think ?
Jacques
