Ha well, I did not thought about that, thanks!
I revert...
Jacques
Scott Gray wrote:
Hi Jacques,
In a small way it does hurt because whenever we use "post" instead of "get" the user
will be prompted "do you want to submit the
form again?" when they click the back button on the browser to go back to one
of those screens.
But yeah I wouldn't rely on searching alone unless you are willing to check
each target before altering it.
Regards
Scott
On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote:
I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot more)
but thought the other were real actions as they
have Edit as prefix in their names. Actually I did not check if they were
calling an event. I just did and you are right.
Anyway it does not hurt, and it's finally a good thing that I did not find any
real issues :o). I think I should not care
anymore. Because if we let some get through they will be detected and signaled
as to be reported as a child of OFBIZ-2330
(even if they don't use FTL, but I did not check that either, I suppose it's
right since for one year now we got any new issue)
One worry less, great!
Jacques
Scott Gray wrote:
On second look there were no targets in this commit that needed to be secured.
Regards
Scott
On 7/06/2010, at 7:18 PM, Scott Gray wrote:
Quite a few of those links don't actually look like they needed to be secured
i.e. there is no event attached to that uri,
orderview for example.
Regards
Scott
HotWax Media
http://www.hotwaxmedia.com
On 7/06/2010, at 7:02 PM, [email protected] wrote:
Author: jleroux
Date: Mon Jun 7 07:02:02 2010
New Revision: 952119
URL: http://svn.apache.org/viewvc?rev=952119&view=rev
Log:
Secure some targets. Note that they have been introduced since OFBIZ-2243 has
been closed.
Please committers use only target with parameter attribute (not in URL) for
link and hyperlink fields when there is an action
(ie DB modification)
Modified:
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++
ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 07:02:02
2010 @@ -215,7 +215,12 @@ under the License.
<field name="paymentId"><hyperlink target="paymentOverview?paymentId=${paymentId}"
description="${paymentId}"/></field>
<field name="amount"><display type="currency"
currency="${currencyUomId}"/></field>
<field name="origAmount"><display type="currency"
currency="${origCurrencyUomId}"/></field>
- <field name="acctgTransId"><hyperlink description="${acctgTransId}"
target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field>
+ <field
name="acctgTransId"> + <hyperlink description="${acctgTransId}"
target="EditAcctgTrans">
+ <parameter param-name="acctgTransId"
from-field="acctgTransId"/>
+ <parameter param-name="organizationPartyId"
from-field="organizationPartyId"/>
+ </hyperlink>
+ </field>
<field name="acctgTransTypeId"
title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity
entity-name="AcctgTransType"/></field> <field name="glJournalId"
title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity
entity-name="GlJournal"
description="${glJournalName}"/></field> <field name="glAccountTypeId"
title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity
entity-name="GlAccountType"/></field>
Modified:
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml
(original) +++
ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml Mon
Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the
License. <auto-fields-entity entity-name="PaymentGatewayConfig"
default-field-type="display"/>
<field name="paymentGatewayConfigId"><hidden/></field>
<field name="description"
title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}">
- <hyperlink description="${description}"
target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/>
+ <hyperlink
description="${description}" target="EditPaymentGatewayConfig"> +
<parameter
param-name="paymentGatewayConfigId" from-field="paymentGatewayConfigId"/> +
</hyperlink>
</field>
<field name="paymentGatewayConfigTypeId"
title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}">
<display-entity entity-name="PaymentGatewayConfigType"
key-field-name="paymentGatewayConfigTypeId"
description="${description}"/> @@ -385,7 +387,9 @@ under the License.
<auto-fields-entity entity-name="PaymentGatewayConfigType"
default-field-type="display"/>
<field name="paymentGatewayConfigTypeId"><hidden/></field>
<field name="description"
title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}">
- <hyperlink description="${description}"
target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/>
+ <hyperlink
description="${description}" target="EditPaymentGatewayConfigType"> + <parameter
param-name="paymentGatewayConfigTypeId"
from-field="paymentGatewayConfigTypeId"/> + </hyperlink>
</field>
</form>
Modified: ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml (original)
+++
ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun 7
07:02:02 2010 @@ -199,7 +199,9 @@ under the
License. <form name="LookupAssociatedProducts" type="multi" use-row-submit="true"
list-name="productList" title=""
target="BulkAddProducts" paginate-target="LookupAssociatedProducts"
default-title-style="tableheadtext"
default-widget-style="inputBox" default-tooltip-style="tabletext"> <field
name="productId"
title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - <hyperlink
description="${productId}"
target="/catalog/control/EditProductInventoryItems?productId=${productId}"
target-type="inter-app"/> + <hyperlink
description="${productId}" target="/catalog/control/EditProductInventoryItems"
target-type="inter-app"> + <parameter
param-name="productId" from-field="productId"/> + </hyperlink>
</field>
<field name="brandName"
title="${uiLabelMap.ProductBrandName}"><display/></field>
<field name="internalName"><display/></field>
Modified:
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml
(original) +++
ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml Mon
Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under
the License. <field name="communicationEventId"><display/></field>
<field name="contactListId" use-when="contactListId!=null">
<display-entity entity-name="ContactList"
description="${contactListName}">
- <sub-hyperlink
target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}"
description="[${communicationEvent.contactListId}]" target-type="inter-app"/> +
<sub-hyperlink
target="/marketing/control/EditContactList"
description="[${communicationEvent.contactListId}]" target-type="inter-app"> +
<parameter param-name="contactListId" from-field="communicationEvent.contactListId"/>
+ </sub-hyperlink>
</display-entity>
</field>
<field name="partyIdFrom" use-when=""my"==void"
title="${uiLabelMap.PartyPartyFrom}">
@@ -470,7 +472,9 @@ under the License.
</service>
</actions>
<field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}">
- <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}"
description="${orderId}"
target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview"
description="${orderId}"
target-type="inter-app"> + <parameter param-name="orderId"
from-field="orderId"/>
+ </hyperlink>
</field>
<field name="communicationEventId">
<hyperlink description="${communicationEventId}"
target="ViewCommunicationEvent">
@@ -1022,7 +1026,9 @@ under the License.
<set field="orderTypeId" from-field="orderHeader.orderTypeId"/>
</row-actions>
<field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"
widget-style="buttontext">
- <hyperlink target="/ordermgr/control/orderview?orderId=${orderId}"
description="${orderId}"
target-type="inter-app"/> + <hyperlink target="/ordermgr/control/orderview"
description="${orderId}"
target-type="inter-app"> + <parameter param-name="orderId"
from-field="orderId"/>
+ </hyperlink>
</field>
<field name="communicationEventId"><hidden/></field>
<field name="orderTypeId" title="${uiLabelMap.OrderOrderType}">
Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml (original) +++
ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun 7
07:02:02 2010 @@ -1997,7 +1997,9 @@ under the
License.
<form name="ListCommEvents" list-name="communicationEvents" type="list"
header-row-style="header-row"
default-table-style="basic-table"> <field name="communicationEventId"
widget-style="buttontext">
- <hyperlink description="${communicationEventId}"
target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}"
target-type="inter-app"/> +
<hyperlink description="${communicationEventId}"
target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> +
<parameter param-name="communicationEventId" from-field="communicationEventId"/> +
</hyperlink>
</field>
<field name="subject"><display/></field>
<field name="communicationEventTypeId"><display-entity description="${description}"
entity-name="CommunicationEventType"
key-field-name="communicationEventTypeId"/></field>
Modified:
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
(original) +++
ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml
Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@
under the License. <auto-fields-entity entity-name="ShipmentGatewayConfig"
default-field-type="display"/>
<field name="shipmentGatewayConfigId"><hidden/></field>
<field name="description"
title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}">
- <hyperlink description="${description}"
target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/>
+ <hyperlink
description="${description}" target="EditShipmentGatewayConfig"> +
<parameter
param-name="shipmentGatewayConfigId" from-field="shipmentGatewayConfigId"/> +
</hyperlink>
</field>
<field name="shipmentGatewayConfTypeId"
title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}">
<display-entity entity-name="ShipmentGatewayConfigType"
key-field-name="shipmentGatewayConfTypeId"
description="${description}"/> @@ -313,7 +315,9 @@ under the License.
<auto-fields-entity entity-name="ShipmentGatewayConfigType"
default-field-type="display"/>
<field name="shipmentGatewayConfTypeId"><hidden/></field>
<field name="description"
title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}">
- <hyperlink description="${description}"
target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/>
+ <hyperlink
description="${description}" target="EditShipmentGatewayConfigType"> +
<parameter
param-name="shipmentGatewayConfTypeId" from-field="shipmentGatewayConfTypeId"/> +
</hyperlink>
</field>
</form>
Modified: ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff
==============================================================================
---
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml (original)
+++
ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon Jun 7
07:02:02 2010 @@ -340,7 +340,9 @@
<field name="estimatedStartDate"
title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time type="date"/></field>
<field name="estimatedCompletionDate"
title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time
type="date"/></field> <field name="edit" title=" ">
- <hyperlink target="EditTask?workEffortId=${workEffortId}"
description="${uiLabelMap.CommonEdit}"/>
+ <hyperlink target="EditTask"
description="${uiLabelMap.CommonEdit"}>
+ <parameter param-name="workEffortId"
from-field="workEffortId}"/>
+ </hyperlink>
</field>
<field name="submitButton" title="${uiLabelMap.CommonUpdate}"><submit
button-type="button"/></field>
</form>
