[
https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux updated OFBIZ-2332:
-----------------------------------
Description:
I found this one in error.log on demo server
2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR]
=============== Found URL parameter [partyId] passed to secure (https)
request-map with uri [searchorders] with an event that calls service
[findOrders]; this is not allowed for security reasons! The data should be
encrypted by making it part of the request body (a form field) instead of the
request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that
this can be changed using the service.http.parameters.require.encrypted
property in the url.properties file
2 cases
<a
href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>"
class="buttontext">${uiLabelMap.OrderOtherOrders}</a>
<a
href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId
+ externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a>
was:
I found this one in error.log on demo server
2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR]
=============== Found URL parameter [partyId] passed to secure (https)
request-map with uri [searchorders] with an event that calls service
[findOrders]; this is not allowed for security reasons! The data should be
encrypted by making it part of the request body (a form field) instead of the
request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that
this can be changed using the service.http.parameters.require.encrypted
property in the url.properties file
2 cases
<a
href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>"
class="buttontext">${uiLabelMap.OrderOtherOrders}</a>
<a
href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId
+ externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a>
I will see later, I continue to look at error.log, to see how much we can get
from here...
[ Afficher ยป ]
Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in
error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17)
[ServiceEventHandler.java:399:ERROR] =============== Found URL parameter
[partyId] passed to secure (https) request-map with uri [searchorders] with an
event that calls service [findOrders]; this is not allowed for security
reasons! The data should be encrypted by making it part of the request body (a
form field) instead of the request URL.; In session
[DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using
the service.http.parameters.require.encrypted property in the url.properties
file 2 cases <a
href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>"
class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a
href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId
+ externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I
will see later, I continue to look at error.log, to see how much we can get
from here...
> searchorders security related error
> -----------------------------------
>
> Key: OFBIZ-2332
> URL: https://issues.apache.org/jira/browse/OFBIZ-2332
> Project: OFBiz
> Issue Type: Sub-task
> Components: order
> Affects Versions: Release Branch 9.04, SVN trunk
> Reporter: Jacques Le Roux
> Fix For: Release Branch 9.04, SVN trunk
>
>
> I found this one in error.log on demo server
> 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR]
> =============== Found URL parameter [partyId] passed to secure (https)
> request-map with uri [searchorders] with an event that calls service
> [findOrders]; this is not allowed for security reasons! The data should be
> encrypted by making it part of the request body (a form field) instead of the
> request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that
> this can be changed using the service.http.parameters.require.encrypted
> property in the url.properties file
> 2 cases
> <a
> href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>"
> class="buttontext">${uiLabelMap.OrderOtherOrders}</a>
> <a
> href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId
> + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
