Re: Security error in Catalog. Trying to delete

Thu, 07 May 2009 09:21:56 -0700 

I just had a look at this error. The error msg states it clearly
Found URL parameter [productStoreId] passed to secure (https) request-map with uri [promo_deleteProductStorePromoAppl] with an event that calls service [deleteProductStorePromoAppl]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. 

Moreover it would be kind if you could create a Jira sub-task of 
https://issues.apache.org/jira/browse/OFBIZ-2330
(check before if a sub-task for this error does not exist).
If you are not sure how to create a Jira issue please have a look before at 
http://docs.ofbiz.org/x/r.

Thank you in advance for your help.

Is a sub-task of OFBIZ-2330 created ?

Thanks

Jacques
PS : BTW we have an issue with the new theme : the error msg dissapear too quickly you can't read it. In a general I don't like much how error messages are rendered in BizznesTime theme. I have added that at 
https://issues.apache.org/jira/browse/OFBIZ-2312?focusedCommentId=12706970&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12706970

From: "Pranay Pandey" <[email protected]>

If this is release 9.04 and its a bug then we should not forget this.

Thanks
--
Pranay Pandey




On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:


forgot this is release 9.04

BJ Freeman sent the following on 4/28/2009 11:20 AM:

I know this has been discussed on the dev list. I would love to  provide
patches. I am guessing this has to be changed to a post, if I  understand
right.

it seems most of the delete button in catalog section come up with
similar messages.
https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0

Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Found
URL parameter [productStoreId] passed to secure (https) request-map  with
uri [promo_deleteProductStorePromoAppl] with an event that calls  service
[deleteProductStorePromoAppl]; this is not allowed for security  reasons!
The data should be encrypted by making it part of the request body (a
form field) instead of the request URL.


--
BJ Freeman
http://www.businessesnetwork.com/automation
http://bjfreeman.elance.com
http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
Systems Integrator.

Reply via email to