Hello All,
I have tried to fix this thing and provided the patch for the same,
here is the URL :
https://issues.apache.org/jira/secure/ManageAttachments.jspa?id=12419303
Please have a look and provide suggestions on whether this is the right
way to go about in FTLs to resolve the security issues. In the patch i
have tried to resolve the exceptions which occurred while changing
order status. If the solution is feasible than this can be done in other
FTLs also.
Thanks & Regards
- -
Deepesh
Deepesh Kapoor wrote:
Thanks for the reply David, yes my present work concerns with return
created for the order. I will take the reference from the changes made
earlier to fix this.
-
Deepesh
David E Jones wrote:
Yes, I did expect questions about this, but not so much from
developers...
To fix this the link needs to be changed into a form so that the
parameters are encrypted (more secure from snooping, spoofing, etc).
There has been significant discussion around this point, and changes
made in various places to fix this, so there are quite a few examples.
Is that something you are working on?
-David
On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote:
Hello All,
I am working on latest OFBiz rev. After creating Sales order when i
try to "Quick Ship Entire Order" in order to proceed further and
create Return an Error occurs in ServiceEventHandler.java
Found URL parameter [orderId] passed to secure (https) request-map
with uri [quickShipOrder] with an event that calls service
[quickShipEntireOrder]; this is not allowed for security reasons!
The data should be encrypted by making it part of the request body
instead of the request URL.
There has been a recent commit in ServiceEventHandler.java and David
is expecting questions/comments after this, so here is my bit :-)
Thanks & Regards
- -
Deepesh
