Problem while performing Quick Ship Entire Order

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem while performing Quick Ship Entire Order

Deepesh Kapoor
Hello All,

I am working on latest OFBiz rev. After creating Sales order when i try
to "Quick Ship Entire Order" in order to proceed further and create
Return an Error occurs in ServiceEventHandler.java
 Found URL parameter [orderId] passed to secure (https) request-map with
uri [quickShipOrder] with an event that calls service
[quickShipEntireOrder]; this is not allowed for security reasons! The
data should be encrypted by making it part of the request body instead
of the request URL.
There has been a recent commit in ServiceEventHandler.java and David is
expecting questions/comments after this, so here is my bit :-)

Thanks & Regards
- -
Deepesh
Reply | Threaded
Open this post in threaded view
|

Re: Problem while performing Quick Ship Entire Order

David E Jones-3

Yes, I did expect questions about this, but not so much from  
developers...

To fix this the link needs to be changed into a form so that the  
parameters are encrypted (more secure from snooping, spoofing, etc).

There has been significant discussion around this point, and changes  
made in various places to fix this, so there are quite a few examples.

Is that something you are working on?

-David


On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote:

> Hello All,
>
> I am working on latest OFBiz rev. After creating Sales order when i  
> try to "Quick Ship Entire Order" in order to proceed further and  
> create Return an Error occurs in ServiceEventHandler.java
> Found URL parameter [orderId] passed to secure (https) request-map  
> with uri [quickShipOrder] with an event that calls service  
> [quickShipEntireOrder]; this is not allowed for security reasons!  
> The data should be encrypted by making it part of the request body  
> instead of the request URL.
> There has been a recent commit in ServiceEventHandler.java and David  
> is expecting questions/comments after this, so here is my bit :-)
>
> Thanks & Regards
> - -
> Deepesh

Reply | Threaded
Open this post in threaded view
|

Re: Problem while performing Quick Ship Entire Order

Deepesh Kapoor
Thanks for the reply David, yes my present work concerns with return
created for the order. I will take the reference from the changes made
earlier to fix this.
-
Deepesh

David E Jones wrote:

>
> Yes, I did expect questions about this, but not so much from
> developers...
>
> To fix this the link needs to be changed into a form so that the
> parameters are encrypted (more secure from snooping, spoofing, etc).
>
> There has been significant discussion around this point, and changes
> made in various places to fix this, so there are quite a few examples.
>
> Is that something you are working on?
>
> -David
>
>
> On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote:
>
>> Hello All,
>>
>> I am working on latest OFBiz rev. After creating Sales order when i
>> try to "Quick Ship Entire Order" in order to proceed further and
>> create Return an Error occurs in ServiceEventHandler.java
>> Found URL parameter [orderId] passed to secure (https) request-map
>> with uri [quickShipOrder] with an event that calls service
>> [quickShipEntireOrder]; this is not allowed for security reasons! The
>> data should be encrypted by making it part of the request body
>> instead of the request URL.
>> There has been a recent commit in ServiceEventHandler.java and David
>> is expecting questions/comments after this, so here is my bit :-)
>>
>> Thanks & Regards
>> - -
>> Deepesh
>

Reply | Threaded
Open this post in threaded view
|

Re: Problem while performing Quick Ship Entire Order

Deepesh Kapoor
Hello All,

 I have tried to fix this thing and provided the patch for the same,
here is the URL :

 https://issues.apache.org/jira/secure/ManageAttachments.jspa?id=12419303

Please have a look and provide suggestions on whether this is the right
way to go about in FTLs to resolve the security issues. In the patch i
have tried to resolve the exceptions which occurred  while changing
order status. If the solution is feasible than this can be done in other
FTLs also.

Thanks & Regards
- -
Deepesh



Deepesh Kapoor wrote:

> Thanks for the reply David, yes my present work concerns with return
> created for the order. I will take the reference from the changes made
> earlier to fix this.
> -
> Deepesh
>
> David E Jones wrote:
>>
>> Yes, I did expect questions about this, but not so much from
>> developers...
>>
>> To fix this the link needs to be changed into a form so that the
>> parameters are encrypted (more secure from snooping, spoofing, etc).
>>
>> There has been significant discussion around this point, and changes
>> made in various places to fix this, so there are quite a few examples.
>>
>> Is that something you are working on?
>>
>> -David
>>
>>
>> On Mar 23, 2009, at 12:37 AM, Deepesh Kapoor wrote:
>>
>>> Hello All,
>>>
>>> I am working on latest OFBiz rev. After creating Sales order when i
>>> try to "Quick Ship Entire Order" in order to proceed further and
>>> create Return an Error occurs in ServiceEventHandler.java
>>> Found URL parameter [orderId] passed to secure (https) request-map
>>> with uri [quickShipOrder] with an event that calls service
>>> [quickShipEntireOrder]; this is not allowed for security reasons!
>>> The data should be encrypted by making it part of the request body
>>> instead of the request URL.
>>> There has been a recent commit in ServiceEventHandler.java and David
>>> is expecting questions/comments after this, so here is my bit :-)
>>>
>>> Thanks & Regards
>>> - -
>>> Deepesh
>>
>