Hello All,
I am working on latest OFBiz rev. After creating Sales order when i try to "Quick Ship Entire Order" in order to proceed further and create Return an Error occurs in ServiceEventHandler.java Found URL parameter [orderId] passed to secure (https) request-map with uri [quickShipOrder] with an event that calls service [quickShipEntireOrder]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL. There has been a recent commit in ServiceEventHandler.java and David is expecting questions/comments after this, so here is my bit :-) Thanks & Regards - - Deepesh |
Yes, I did expect questions about this, but not so much from developers... To fix this the link needs to be changed into a form so that the parameters are encrypted (more secure from snooping, spoofing, etc). There has been significant discussion around this point, and changes made in various places to fix this, so there are quite a few examples. Is that something you are working on? -David On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote: > Hello All, > > I am working on latest OFBiz rev. After creating Sales order when i > try to "Quick Ship Entire Order" in order to proceed further and > create Return an Error occurs in ServiceEventHandler.java > Found URL parameter [orderId] passed to secure (https) request-map > with uri [quickShipOrder] with an event that calls service > [quickShipEntireOrder]; this is not allowed for security reasons! > The data should be encrypted by making it part of the request body > instead of the request URL. > There has been a recent commit in ServiceEventHandler.java and David > is expecting questions/comments after this, so here is my bit :-) > > Thanks & Regards > - - > Deepesh |
Thanks for the reply David, yes my present work concerns with return
created for the order. I will take the reference from the changes made earlier to fix this. - Deepesh David E Jones wrote: > > Yes, I did expect questions about this, but not so much from > developers... > > To fix this the link needs to be changed into a form so that the > parameters are encrypted (more secure from snooping, spoofing, etc). > > There has been significant discussion around this point, and changes > made in various places to fix this, so there are quite a few examples. > > Is that something you are working on? > > -David > > > On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote: > >> Hello All, >> >> I am working on latest OFBiz rev. After creating Sales order when i >> try to "Quick Ship Entire Order" in order to proceed further and >> create Return an Error occurs in ServiceEventHandler.java >> Found URL parameter [orderId] passed to secure (https) request-map >> with uri [quickShipOrder] with an event that calls service >> [quickShipEntireOrder]; this is not allowed for security reasons! The >> data should be encrypted by making it part of the request body >> instead of the request URL. >> There has been a recent commit in ServiceEventHandler.java and David >> is expecting questions/comments after this, so here is my bit :-) >> >> Thanks & Regards >> - - >> Deepesh > |
Hello All,
I have tried to fix this thing and provided the patch for the same, here is the URL : https://issues.apache.org/jira/secure/ManageAttachments.jspa?id=12419303 Please have a look and provide suggestions on whether this is the right way to go about in FTLs to resolve the security issues. In the patch i have tried to resolve the exceptions which occurred while changing order status. If the solution is feasible than this can be done in other FTLs also. Thanks & Regards - - Deepesh Deepesh Kapoor wrote: > Thanks for the reply David, yes my present work concerns with return > created for the order. I will take the reference from the changes made > earlier to fix this. > - > Deepesh > > David E Jones wrote: >> >> Yes, I did expect questions about this, but not so much from >> developers... >> >> To fix this the link needs to be changed into a form so that the >> parameters are encrypted (more secure from snooping, spoofing, etc). >> >> There has been significant discussion around this point, and changes >> made in various places to fix this, so there are quite a few examples. >> >> Is that something you are working on? >> >> -David >> >> >> On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote: >> >>> Hello All, >>> >>> I am working on latest OFBiz rev. After creating Sales order when i >>> try to "Quick Ship Entire Order" in order to proceed further and >>> create Return an Error occurs in ServiceEventHandler.java >>> Found URL parameter [orderId] passed to secure (https) request-map >>> with uri [quickShipOrder] with an event that calls service >>> [quickShipEntireOrder]; this is not allowed for security reasons! >>> The data should be encrypted by making it part of the request body >>> instead of the request URL. >>> There has been a recent commit in ServiceEventHandler.java and David >>> is expecting questions/comments after this, so here is my bit :-) >>> >>> Thanks & Regards >>> - - >>> Deepesh >> > |
Free forum by Nabble | Edit this page |