OFBiz › OFBiz - Notifications

[jira] [Comment Edited] (OFBIZ-9804) Link in verification email for Newsletter gives security error

_‹ Previous Topic Next Topic _›

Classic

List

Threaded

1 message

Nicolas Malin (Jira)

[jira] [Comment Edited] (OFBIZ-9804) Link in verification email for Newsletter gives security error

[ https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16191187#comment-16191187 ]

Jacques Le Roux edited comment on OFBIZ-9804 at 10/4/17 12:28 PM:
------------------------------------------------------------------

Aditya, I reassign to you. I created OFBIZ-2330 long ago after David (E. JOnes) put the warning in code about this security issue. But since, someone, who I trust as much as David, told me that this was not really a security issue. So I have to check this assertion before going further. In the meantime, the same way we used before could be used also here. I just wonder if it's necessary or rather the best way...

was (Author: jacques.le.roux):
Aditya, I reassign to you. I created OFBIZ-2330 long ago after David (E. JOnes) put the warning about this security issue. But since someone, who I trust as much as David, told me that this was not really a security issue. So I have to check this assertion before going further. In the meantime, the same way we used before could be used also here. I just wonder if it's necessary or rather the best way...

> Link in verification email for Newsletter gives security error
> --------------------------------------------------------------
>
> Key: OFBIZ-9804
> URL: https://issues.apache.org/jira/browse/OFBIZ-9804
> Project: OFBiz
> Issue Type: Sub-task
> Components: ecommerce
> Affects Versions: Trunk, Release Branch 16.11
> Reporter: Aditya Sharma
> Assignee: Aditya Sharma
> Attachments: screenshot-1.png
>
>
> Steps to generate:
> 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
> 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter, provide email and click on subscribe button.(Here you should have email configuration to receive email)
> 3. Click on the verification link in the email.
> It gives following error message
> {quote}The Following Errors Occurred:
> Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException: Found URL parameter [contactListId] passed to secure (https) request-map with uri [updateContactListPartyNoUserLogin] with an event that calls service [updateContactListPartyNoUserLogin]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices Thank you in advance for your help.{quote}
> Try with the trunk link:
> https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010
> Stable 16 link:
> https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010

--
This message was sent by Atlassian JIRA
(v6.4.14#64029)