Re: Security error in Catalog. Trying to delete

> I know this has been discussed on the dev list. I would love to provide
> patches. I am guessing this has to be changed to a post, if I understand
> right.
>
> it seems most of the delete button in catalog section come up with
> similar messages.
> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>
> Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found
> URL parameter [productStoreId] passed to secure (https) request-map with
> uri [promo_deleteProductStorePromoAppl] with an event that calls service
> [deleteProductStorePromoAppl]; this is not allowed for security reasons!
> The data should be encrypted by making it part of the request body (a
> form field) instead of the request URL.

> If this is release 9.04 and its a bug then we should not forget this.
>
> Thanks
> --
> Pranay Pandey
>
>
>
>
> On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:
>
>> forgot this is release 9.04
>>
>> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>>> I know this has been discussed on the dev list. I would love to  provide
>>> patches. I am guessing this has to be changed to a post, if I  understand
>>> right.
>>>
>>> it seems most of the delete button in catalog section come up with
>>> similar messages.
>>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>>
>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Found
>>> URL parameter [productStoreId] passed to secure (https) request-map  with
>>> uri [promo_deleteProductStorePromoAppl] with an event that calls  service
>>> [deleteProductStorePromoAppl]; this is not allowed for security  reasons!
>>> The data should be encrypted by making it part of the request body (a
>>> form field) instead of the request URL.
>>
>> --
>> BJ Freeman
>> http://www.businessesnetwork.com/automation
>> http://bjfreeman.elance.com
>> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
>> Systems Integrator.
>>
>
>

>I just had a look at this error. The error msg states it clearly
>
> Found URL parameter [productStoreId] passed to secure (https) request-map with uri [promo_deleteProductStorePromoAppl] with an
> event that calls service [deleteProductStorePromoAppl]; this is not allowed for security reasons! The data should be encrypted by
> making it part of the request body (a form field) instead of the request URL.
>
> Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330
> (check before if a sub-task for this error does not exist).
> If you are not sure how to create a Jira issue please have a look before at http://docs.ofbiz.org/x/r.
>
> Thank you in advance for your help.
>
> Is a sub-task of OFBIZ-2330 created ?
>
> Thanks
>
> Jacques
> PS : BTW we have an issue with the new theme : the error msg dissapear too quickly you can't read it. In a general I don't like
> much how error messages are rendered in BizznesTime theme. I have added that at
> https://issues.apache.org/jira/browse/OFBIZ-2312?focusedCommentId=12706970&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12706970
>
> From: "Pranay Pandey" <[hidden email]>
>> If this is release 9.04 and its a bug then we should not forget this.
>>
>> Thanks
>> --
>> Pranay Pandey
>>
>>
>>
>>
>> On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:
>>
>>> forgot this is release 9.04
>>>
>>> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>>>> I know this has been discussed on the dev list. I would love to  provide
>>>> patches. I am guessing this has to be changed to a post, if I  understand
>>>> right.
>>>>
>>>> it seems most of the delete button in catalog section come up with
>>>> similar messages.
>>>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>>>
>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:  Found
>>>> URL parameter [productStoreId] passed to secure (https) request-map  with
>>>> uri [promo_deleteProductStorePromoAppl] with an event that calls  service
>>>> [deleteProductStorePromoAppl]; this is not allowed for security  reasons!
>>>> The data should be encrypted by making it part of the request body (a
>>>> form field) instead of the request URL.
>>>
>>> --
>>> BJ Freeman
>>> http://www.businessesnetwork.com/automation
>>> http://bjfreeman.elance.com
>>> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
>>> Systems Integrator.
>>>
>>
>>
>
>

> Hi BJ,
>
> Did you create a sub-task of OFBIZ-2330 ?
>
> Thanks
>
> Jacques
>
> From: "Jacques Le Roux" <[hidden email]>
>> I just had a look at this error. The error msg states it clearly
>>
>> Found URL parameter [productStoreId] passed to secure (https)
>> request-map with uri [promo_deleteProductStorePromoAppl] with an event
>> that calls service [deleteProductStorePromoAppl]; this is not allowed
>> for security reasons! The data should be encrypted by making it part
>> of the request body (a form field) instead of the request URL.
>>
>> Moreover it would be kind if you could create a Jira sub-task of
>> https://issues.apache.org/jira/browse/OFBIZ-2330
>> (check before if a sub-task for this error does not exist).
>> If you are not sure how to create a Jira issue please have a look
>> before at http://docs.ofbiz.org/x/r.
>>
>> Thank you in advance for your help.
>>
>> Is a sub-task of OFBIZ-2330 created ?
>>
>> Thanks
>>
>> Jacques
>> PS : BTW we have an issue with the new theme : the error msg dissapear
>> too quickly you can't read it. In a general I don't like much how
>> error messages are rendered in BizznesTime theme. I have added that at
>> https://issues.apache.org/jira/browse/OFBIZ-2312?focusedCommentId=12706970&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#action_12706970
>>
>>
>> From: "Pranay Pandey" <[hidden email]>
>>> If this is release 9.04 and its a bug then we should not forget this.
>>>
>>> Thanks
>>> --
>>> Pranay Pandey
>>>
>>>
>>>
>>>
>>> On Apr 29, 2009, at 12:03 AM, BJ Freeman wrote:
>>>
>>>> forgot this is release 9.04
>>>>
>>>> BJ Freeman sent the following on 4/28/2009 11:20 AM:
>>>>> I know this has been discussed on the dev list. I would love to
>>>>> provide
>>>>> patches. I am guessing this has to be changed to a post, if I
>>>>> understand
>>>>> right.
>>>>>
>>>>> it seems most of the delete button in catalog section come up with
>>>>> similar messages.
>>>>> https://localhost:8443/catalog/control/promo_deleteProductStorePromoAppl?productStoreId=TestStore&productPromoId=9019&fromDate=2009-04-27%2015:11:56.0
>>>>>
>>>>>
>>>>> Error calling event: org.ofbiz.webapp.event.EventHandlerException:
>>>>> Found
>>>>> URL parameter [productStoreId] passed to secure (https)
>>>>> request-map  with
>>>>> uri [promo_deleteProductStorePromoAppl] with an event that calls
>>>>> service
>>>>> [deleteProductStorePromoAppl]; this is not allowed for security
>>>>> reasons!
>>>>> The data should be encrypted by making it part of the request body (a
>>>>> form field) instead of the request URL.
>>>>
>>>> --
>>>> BJ Freeman
>>>> http://www.businessesnetwork.com/automation
>>>> http://bjfreeman.elance.com
>>>> http://www.linkedin.com/profile?viewProfile=&key=1237480&locale=en_US&trk=tab_pro
>>>>
>>>> Systems Integrator.
>>>>
>>>
>>>
>>
>>
>
>
>