[jira] Created: (OFBIZ-2260) Secure URLs in Freemarker templates files

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12697874#action_12697874 ]

Rohit Sureka commented on OFBIZ-2260:
-------------------------------------

The following URL, needs to be fixed. it throws up the security error.

https://www.example.com/catalog/control/RemoveFeatureFromProduct?productId=11001&productFeatureId=10165&fromDate=2003-11-20%2013:50:07.796



--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12698001#action_12698001 ]

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

Ashish,

Sorry, I had to totally revert your patch (but 3 files), please see my comment in r764077

Cjay, are you sure that the change you submitted were needed ? (I see deleteCustomTimePeriod is a service, but I did not reproduce the error but another one, not related to secure URLs thing)

BTW the issue I get is
Type conversion of field [fromDate] to type [java.sql.Date] failed for value "Apr 1, 2009": org.ofbiz.base.util.GeneralException: Could not convert Apr 1, 2009 to java.sql.Date: (Unparseable date: "Apr 1, 2009")
I will see that later...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12698072#action_12698072 ]

Ashish Nagar commented on OFBIZ-2260:
-------------------------------------

Hello CJ,

Sorry for not getting a chance to reply in past 2 days over here. I have seen your patch, and think it the correct way, as there can not be any duplicate Id. I apologize, as I was looking the link {quote} <a href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${currentCustomTimePeriod.customTimePeriodId}</@ofbizUrl>'> {quote} that is outside the list.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12698072#action_12698072 ]

Ashish Nagar edited comment on OFBIZ-2260 at 4/11/09 4:27 AM:
--------------------------------------------------------------

Hello CJ,

Sorry for not getting a chance to reply in past 2 days over here. I have seen your patch, and think it the correct way, as there can not be any duplicate Id. I apologize, as I was looking the link  <a href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${currentCustomTimePeriod.customTimePeriodId}</@ofbizUrl>'>, that is outside the list.

      was (Author: ashish.nagar):
    Hello CJ,

Sorry for not getting a chance to reply in past 2 days over here. I have seen your patch, and think it the correct way, as there can not be any duplicate Id. I apologize, as I was looking the link {quote} <a href='<@ofbizUrl>deleteCustomTimePeriod?customTimePeriodId=${currentCustomTimePeriod.customTimePeriodId}</@ofbizUrl>'> {quote} that is outside the list.
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12698073#action_12698073 ]

Ashish Nagar commented on OFBIZ-2260:
-------------------------------------

Hello Jacques,

I have seen your comment in r764077. Thanks for making it more clear. But, was just wondering why should not we send send parameters as post for urls which are not calling service? May be I have put a silly question here. Please put some light on this.

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12698076#action_12698076 ]

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

Hi Ashish,

The answer is in comments above from David (no need) and CJ (issues in orderview)

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-2260:
-----------------------------------

    Attachment: EditProductFeatures.ftl.patch

Attached a patch for the issue Rohit found. I was ready to comit and close this issue following my comment in r764077 but my patch is not working and I don't understand why (Firebug says that document.RemoveFeatureFromProduct_o_i does not exist but I can see it, so ???)

When this patch will be commited, I will close this issue and will try to come with a tool that allows to list all changes to be done...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12698370#action_12698370 ]

Rohit Sureka commented on OFBIZ-2260:
-------------------------------------

There is another URL:

https://www.example.com/facility/control/updateShipmentPackage?shipmentId=10012&shipmentPackageSeqId=00001&weight=&weightUomId=&shipmentBoxTypeId=FXENV&insuredValue=

This is when, quich ship is used and later we attempt to change the shipment box type under the 'packages' tab.

Rohit


--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12700894#action_12700894 ]

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

I found this one in error.log on demo server

2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file

2 cases
<a href="<@ofbizUrl>/searchorders?lookupFlag=Y&amp;hideFields=Y&amp;partyId=${partyId}&amp;viewIndex=1&amp;viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a>

<a href="/ordermgr/control/searchorders?lookupFlag=Y&amp;hideFields=Y&amp;partyId=${partyRow.partyId + externalKeyParam}&amp;viewIndex=1&amp;viewSize=20">${uiLabelMap.OrderOrders}</a>

I will see later, I continue to look at error.log, to see how much we can get from here...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12700897#action_12700897 ]

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

Another one in error.log

2009-04-19 13:49:51,262 (TP-Processor17) [     RequestHandler.java:399:ERROR] Request createOrderAdjustment caused an error with the following message: Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [orderId] passed to secure (https) request-map with uri [createOrderAdjustment] with an event that calls service [createOrderAdjustment]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.

but this one is another exception : (paramString contains orderId...)

            <form name="addAdjustmentForm" method="post" action="<@ofbizUrl>createOrderAdjustment?${paramString}</@ofbizUrl>">




--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12701144#action_12701144 ]

Jacques Le Roux commented on OFBIZ-2260:
----------------------------------------

I finally commited EditProductFeatures.ftl.patch at revision: 767127  
I was only an issue with Firebug :(

I will (hopefully) fix the 3 others and will close as I said... This kind of issue where actually there are several issues always ends as a mess !
You can't have several issues in a solz issue. We should open a sub task for each even if it seems heavy at start, after it proves beneficial.
Lesson learned...

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

     [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux closed OFBIZ-2260.
----------------------------------

    Resolution: Fixed

Closing and opening a main task with subtasks for each new case reported

--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

    [ https://issues.apache.org/jira/browse/OFBIZ-2260?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12701145#action_12701145 ]

Jacques Le Roux edited comment on OFBIZ-2260 at 5/2/09 5:22 AM:
----------------------------------------------------------------

Closing and opening a main task with subtasks for each new case reported : OFBIZ-2330

      was (Author: jacques.le.roux):
    Closing and opening a main task with subtasks for each new case reported
 
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.