[
https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17842643#comment-17842643
]
ASF subversion and git services commented on OFBIZ-9804:
--------------------------------------------------------
Commit 2b08b865bce25cde5d55d1762d89c96bcaa92e95 in ofbiz-plugins's branch
refs/heads/release18.12 from Jacques Le Roux
[ https://gitbox.apache.org/repos/asf?p=ofbiz-plugins.git;h=2b08b865b ]
Fixed: Link in verification email for Newsletter gives security error
(OFBIZ-9804)
It's a bit abused to reuse this Jira issue but as it's a really trivial fix...
> Link in verification email for Newsletter gives security error
> --------------------------------------------------------------
>
> Key: OFBIZ-9804
> URL: https://issues.apache.org/jira/browse/OFBIZ-9804
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce
> Affects Versions: Release Branch 16.11, Trunk
> Reporter: Aditya Sharma
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 17.12.01, 18.12.01
>
> Attachments: screenshot-1.png
>
>
> Steps to generate:
> 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
> 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter,
> provide email and click on subscribe button.(Here you should have email
> configuration to receive email)
> 3. Click on the verification link in the email.
> It gives following error message
> {quote}The Following Errors Occurred:
> Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException:
> Found URL parameter [contactListId] passed to secure (https) request-map with
> uri [updateContactListPartyNoUserLogin] with an event that calls service
> [updateContactListPartyNoUserLogin]; this is not allowed for security
> reasons! The data should be encrypted by making it part of the request body
> (a form field) instead of the request URL. Moreover it would be kind if you
> could create a Jira sub-task of
> https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task
> for this error does not exist). If you are not sure how to create a Jira
> issue please have a look before at
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
> Thank you in advance for your help.{quote}
> Try with the trunk link:
> https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010
> Stable 16 link:
> https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
