Re: Security error in Catalog. Trying to delete

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Security error in Catalog. Trying to delete

BJ Freeman
forgot this is release 9.04

BJ Freeman sent the following on 4/28/2009 11:20 AM:

> I know this has been discussed on the dev list. I would love to provide
> patches. I am guessing this has to be changed to a post, if I understand
> right.
>
> it seems most of the delete button in catalog section come up with
> similar messages.
> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found
> URL parameter [productStoreId] passed to secure (https) request-map with
> uri [promo_deleteProductStorePromoAppl] with an event that calls service
> [deleteProductStorePromoAppl]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body (a
> form field) instead of the request URL.

--
BJ Freeman
http://www.businessesnetwork.com/automation
http://bjfreeman.elance.com
http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
Systems Integrator.

Reply | Threaded
Open this post in threaded view
|

Re: Security error in Catalog. Trying to delete

Pranay Pandey-2
If this is release 9.04 and its a bug then we should not forget this.

Thanks
--
Pranay Pandey




On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:

> forgot this is release 9.04
>
> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>> I know this has been discussed on the dev list. I would love to  
>> provide
>> patches. I am guessing this has to be changed to a post, if I  
>> understand
>> right.
>>
>> it seems most of the delete button in catalog section come up with
>> similar messages.
>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>
>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  
>> Found
>> URL parameter [productStoreId] passed to secure (https) request-map  
>> with
>> uri [promo_deleteProductStorePromoAppl] with an event that calls  
>> service
>> [deleteProductStorePromoAppl]; this is not allowed for security  
>> reasons!
>> The data should be encrypted by making it part of the request body (a
>> form field) instead of the request URL.
>
> --
> BJ Freeman
> http://www.businessesnetwork.com/automation
> http://bjfreeman.elance.com
> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
> Systems Integrator.
>


smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security error in Catalog. Trying to delete

Jacques Le Roux
Administrator
I just had a look at this error. The error msg states it clearly

Found URL parameter [productStoreId] passed to secure (https) request-map with uri [promo_deleteProductStorePromoAppl] with an event
that calls service [deleteProductStorePromoAppl]; this is not allowed for security reasons! The data should be encrypted by making
it part of the request body (a form field) instead of the request URL.

Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330
(check before if a sub-task for this error does not exist).
If you are not sure how to create a Jira issue please have a look before at http://docs.ofbiz.org/x/r.

Thank you in advance for your help.

Is a sub-task of OFBIZ-2330 created ?

Thanks

Jacques
PS : BTW we have an issue with the new theme : the error msg dissapear too quickly you can't read it. In a general I don't like much
how error messages are rendered in BizznesTime theme. I have added that at
https://issues.apache.org/jira/browse/OFBIZ-2312?focusedCommentId=12706970&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12706970

From: "Pranay Pandey" <[hidden email]>

> If this is release 9.04 and its a bug then we should not forget this.
>
> Thanks
> --
> Pranay Pandey
>
>
>
>
> On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:
>
>> forgot this is release 9.04
>>
>> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>>> I know this has been discussed on the dev list. I would love to  provide
>>> patches. I am guessing this has to be changed to a post, if I  understand
>>> right.
>>>
>>> it seems most of the delete button in catalog section come up with
>>> similar messages.
>>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>>
>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Found
>>> URL parameter [productStoreId] passed to secure (https) request-map  with
>>> uri [promo_deleteProductStorePromoAppl] with an event that calls  service
>>> [deleteProductStorePromoAppl]; this is not allowed for security  reasons!
>>> The data should be encrypted by making it part of the request body (a
>>> form field) instead of the request URL.
>>
>> --
>> BJ Freeman
>> http://www.businessesnetwork.com/automation
>> http://bjfreeman.elance.com
>> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
>> Systems Integrator.
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Security error in Catalog. Trying to delete

Jacques Le Roux
Administrator
Hi BJ,

Did you create a sub-task of OFBIZ-2330 ?

Thanks

Jacques

From: "Jacques Le Roux" <[hidden email]>

>I just had a look at this error. The error msg states it clearly
>
> Found URL parameter [productStoreId] passed to secure (https) request-map with uri [promo_deleteProductStorePromoAppl] with an
> event that calls service [deleteProductStorePromoAppl]; this is not allowed for security reasons! The data should be encrypted by
> making it part of the request body (a form field) instead of the request URL.
>
> Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330
> (check before if a sub-task for this error does not exist).
> If you are not sure how to create a Jira issue please have a look before at http://docs.ofbiz.org/x/r.
>
> Thank you in advance for your help.
>
> Is a sub-task of OFBIZ-2330 created ?
>
> Thanks
>
> Jacques
> PS : BTW we have an issue with the new theme : the error msg dissapear too quickly you can't read it. In a general I don't like
> much how error messages are rendered in BizznesTime theme. I have added that at
> https://issues.apache.org/jira/browse/OFBIZ-2312?focusedCommentId=12706970&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12706970
>
> From: "Pranay Pandey" <[hidden email]>
>> If this is release 9.04 and its a bug then we should not forget this.
>>
>> Thanks
>> --
>> Pranay Pandey
>>
>>
>>
>>
>> On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:
>>
>>> forgot this is release 9.04
>>>
>>> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>>>> I know this has been discussed on the dev list. I would love to  provide
>>>> patches. I am guessing this has to be changed to a post, if I  understand
>>>> right.
>>>>
>>>> it seems most of the delete button in catalog section come up with
>>>> similar messages.
>>>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>>>
>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Found
>>>> URL parameter [productStoreId] passed to secure (https) request-map  with
>>>> uri [promo_deleteProductStorePromoAppl] with an event that calls  service
>>>> [deleteProductStorePromoAppl]; this is not allowed for security  reasons!
>>>> The data should be encrypted by making it part of the request body (a
>>>> form field) instead of the request URL.
>>>
>>> --
>>> BJ Freeman
>>> http://www.businessesnetwork.com/automation
>>> http://bjfreeman.elance.com
>>> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
>>> Systems Integrator.
>>>
>>
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: Security error in Catalog. Trying to delete

BJ Freeman
In reply to this post by Jacques Le Roux
Just Did thanks.
I was looking where to hook this in

Jacques Le Roux sent the following on 5/9/2009 1:36 PM:

> Hi BJ,
>
> Did you create a sub-task of OFBIZ-2330 ?
>
> Thanks
>
> Jacques
>
> From: "Jacques Le Roux" <[hidden email]>
>> I just had a look at this error. The error msg states it clearly
>>
>> Found URL parameter [productStoreId] passed to secure (https)
>> request-map with uri [promo_deleteProductStorePromoAppl] with an event
>> that calls service [deleteProductStorePromoAppl]; this is not allowed
>> for security reasons! The data should be encrypted by making it part
>> of the request body (a form field) instead of the request URL.
>>
>> Moreover it would be kind if you could create a Jira sub-task of
>> https://issues.apache.org/jira/browse/OFBIZ-2330
>> (check before if a sub-task for this error does not exist).
>> If you are not sure how to create a Jira issue please have a look
>> before at http://docs.ofbiz.org/x/r.
>>
>> Thank you in advance for your help.
>>
>> Is a sub-task of OFBIZ-2330 created ?
>>
>> Thanks
>>
>> Jacques
>> PS : BTW we have an issue with the new theme : the error msg dissapear
>> too quickly you can't read it. In a general I don't like much how
>> error messages are rendered in BizznesTime theme. I have added that at
>> https://issues.apache.org/jira/browse/OFBIZ-2312?focusedCommentId=12706970&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12706970
>>
>>
>> From: "Pranay Pandey" <[hidden email]>
>>> If this is release 9.04 and its a bug then we should not forget this.
>>>
>>> Thanks
>>> --
>>> Pranay Pandey
>>>
>>>
>>>
>>>
>>> On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:
>>>
>>>> forgot this is release 9.04
>>>>
>>>> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>>>>> I know this has been discussed on the dev list. I would love to
>>>>> provide
>>>>> patches. I am guessing this has to be changed to a post, if I
>>>>> understand
>>>>> right.
>>>>>
>>>>> it seems most of the delete button in catalog section come up with
>>>>> similar messages.
>>>>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>>>>
>>>>>
>>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>>> Found
>>>>> URL parameter [productStoreId] passed to secure (https)
>>>>> request-map  with
>>>>> uri [promo_deleteProductStorePromoAppl] with an event that calls
>>>>> service
>>>>> [deleteProductStorePromoAppl]; this is not allowed for security
>>>>> reasons!
>>>>> The data should be encrypted by making it part of the request body (a
>>>>> form field) instead of the request URL.
>>>>
>>>> --
>>>> BJ Freeman
>>>> http://www.businessesnetwork.com/automation
>>>> http://bjfreeman.elance.com
>>>> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
>>>>
>>>> Systems Integrator.
>>>>
>>>
>>>
>>
>>
>
>
>

--
BJ Freeman
http://www.businessesnetwork.com/automation
http://bjfreeman.elance.com
http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
Systems Integrator.