[jira] [Commented] (OFBIZ-9804) Link in verification email for Newsletter gives security error
[
https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16965273#comment-16965273
]
Jacques Le Roux commented on OFBIZ-9804:
Actually, I'll keep it simple and will smply change
ContactListEmailTemplate.ftl to also use GET. Because we dont' want a form to
ask, but only to hide parameters. Doing so I found that baseEcommerceSecureUrl
does not work in ecomseo. I have created OFBIZ-11267 for that.
> Link in verification email for Newsletter gives security error
> --
>
> Key: OFBIZ-9804
> URL: https://issues.apache.org/jira/browse/OFBIZ-9804
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce
>Affects Versions: Trunk, Release Branch 16.11
>Reporter: Aditya Sharma
>Assignee: Jacques Le Roux
>Priority: Major
> Attachments: screenshot-1.png
>
>
> Steps to generate:
> 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
> 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter,
> provide email and click on subscribe button.(Here you should have email
> configuration to receive email)
> 3. Click on the verification link in the email.
> It gives following error message
> {quote}The Following Errors Occurred:
> Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException:
> Found URL parameter [contactListId] passed to secure (https) request-map with
> uri [updateContactListPartyNoUserLogin] with an event that calls service
> [updateContactListPartyNoUserLogin]; this is not allowed for security
> reasons! The data should be encrypted by making it part of the request body
> (a form field) instead of the request URL. Moreover it would be kind if you
> could create a Jira sub-task of
> https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task
> for this error does not exist). If you are not sure how to create a Jira
> issue please have a look before at
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
> Thank you in advance for your help.{quote}
> Try with the trunk link:
> https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000=_NA_=2017-10-04%2010:48:46.531=CLPT_ACCEPTED=9084207171=/ecommerce=10010
> Stable 16 link:
> https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000=_NA_=2017-10-04%2010:48:46.531=CLPT_ACCEPTED=9084207171=/ecommerce=10010
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OFBIZ-9804) Link in verification email for Newsletter gives security error
[
https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16964197#comment-16964197
]
Jacques Le Roux commented on OFBIZ-9804:
I had a look and we should go another way.
I 1st thought that we should use a form rather than query parameters as here.
But then I found that Hans who initiated contactlist emails, ie
{quote}
ContactListEmailTemplate.ftl
ContactListSubscribeEmail.ftl
ContactListUnsubscribeEmail.ftl
ContactListUnsubscribeVerifyEmail.ftl
ContactListVerifyEmail.ftl
{quote}
changed back from forms to query parameters in URLs (but for
ContactListEmailTemplate.ftl that I think he forgot) in
[r1150558|http://svn.apache.org/viewvc?view=revision=1150558] because
bq. "change from forms to url's because forms not always work with several
email clients."
[I then read more about
it|https://www.google.com/search?q=forms+in+email+client=UTF-8] and found
that it's better to have a link (w/o qyery parameters) to a form on the server.
So I'll redo all that...
> Link in verification email for Newsletter gives security error
> --
>
> Key: OFBIZ-9804
> URL: https://issues.apache.org/jira/browse/OFBIZ-9804
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce
>Affects Versions: Trunk, Release Branch 16.11
>Reporter: Aditya Sharma
>Assignee: Jacques Le Roux
>Priority: Major
> Attachments: screenshot-1.png
>
>
> Steps to generate:
> 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
> 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter,
> provide email and click on subscribe button.(Here you should have email
> configuration to receive email)
> 3. Click on the verification link in the email.
> It gives following error message
> {quote}The Following Errors Occurred:
> Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException:
> Found URL parameter [contactListId] passed to secure (https) request-map with
> uri [updateContactListPartyNoUserLogin] with an event that calls service
> [updateContactListPartyNoUserLogin]; this is not allowed for security
> reasons! The data should be encrypted by making it part of the request body
> (a form field) instead of the request URL. Moreover it would be kind if you
> could create a Jira sub-task of
> https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task
> for this error does not exist). If you are not sure how to create a Jira
> issue please have a look before at
> https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices
> Thank you in advance for your help.{quote}
> Try with the trunk link:
> https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000=_NA_=2017-10-04%2010:48:46.531=CLPT_ACCEPTED=9084207171=/ecommerce=10010
> Stable 16 link:
> https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000=_NA_=2017-10-04%2010:48:46.531=CLPT_ACCEPTED=9084207171=/ecommerce=10010
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
