[jira] Created: (OFBIZ-2332) I found this one in error.log on demo server
Locked
[jira] Created: (OFBIZ-2332) I found this one in error.log on demo server
 
|
I found this one in error.log on demo server
-------------------------------------------- Key: OFBIZ-2332 URL: https://issues.apache.org/jira/browse/OFBIZ-2332 Project: OFBiz Issue Type: Sub-task Reporter: Jacques Le Roux I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... [ Afficher » ] Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2332) I found this one in error.log on demo server
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12701179#action_12701179 ] Jacques Le Roux commented on OFBIZ-2332: ---------------------------------------- Mmm, findOrders.ftl is not easy to transform. Actually there are not 2 cases but 5. This would not be a problem if moreover there was not * use of ${paramList} (a string containing all informations, ie search params names and values) * a javascript lookupOrders() function related to searchorders calls In a 1st pass I will reduce the complexity. If someone has a better idea please chime in... Maybe we should rewrite all... > I found this one in error.log on demo server > -------------------------------------------- > > Key: OFBIZ-2332 > URL: https://issues.apache.org/jira/browse/OFBIZ-2332 > Project: OFBiz > Issue Type: Sub-task > Reporter: Jacques Le Roux > > I found this one in error.log on demo server > 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file > 2 cases > <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> > <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> > I will see later, I continue to look at error.log, to see how much we can get from here... > [ Afficher » ] > Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-2332) searchorders security related error
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacopo Cappellato updated OFBIZ-2332: ------------------------------------- Component/s: order Affects Version/s: SVN trunk Release Branch 9.04 Fix Version/s: SVN trunk Release Branch 9.04 Summary: searchorders security related error (was: I found this one in error.log on demo server) > searchorders security related error > ----------------------------------- > > Key: OFBIZ-2332 > URL: https://issues.apache.org/jira/browse/OFBIZ-2332 > Project: OFBiz > Issue Type: Sub-task > Components: order > Affects Versions: Release Branch 9.04, SVN trunk > Reporter: Jacques Le Roux > Fix For: Release Branch 9.04, SVN trunk > > > I found this one in error.log on demo server > 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file > 2 cases > <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> > <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> > I will see later, I continue to look at error.log, to see how much we can get from here... > [ Afficher » ] > Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-2332) searchorders security related error
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12701694#action_12701694 ] Jacques Le Roux commented on OFBIZ-2332: ---------------------------------------- The decision on ML is to rewrite all. More work but certainly the better solution... > searchorders security related error > ----------------------------------- > > Key: OFBIZ-2332 > URL: https://issues.apache.org/jira/browse/OFBIZ-2332 > Project: OFBiz > Issue Type: Sub-task > Components: order > Affects Versions: Release Branch 9.04, SVN trunk > Reporter: Jacques Le Roux > Fix For: Release Branch 9.04, SVN trunk > > > I found this one in error.log on demo server > 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file > 2 cases > <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> > <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> > I will see later, I continue to look at error.log, to see how much we can get from here... > [ Afficher » ] > Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Updated: (OFBIZ-2332) searchorders security related error
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux updated OFBIZ-2332: ----------------------------------- Description: I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> was: I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... [ Afficher » ] Jacques Le Roux added a comment - 20/avr./09 12:09 PM I found this one in error.log on demo server 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file 2 cases <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> I will see later, I continue to look at error.log, to see how much we can get from here... > searchorders security related error > ----------------------------------- > > Key: OFBIZ-2332 > URL: https://issues.apache.org/jira/browse/OFBIZ-2332 > Project: OFBiz > Issue Type: Sub-task > Components: order > Affects Versions: Release Branch 9.04, SVN trunk > Reporter: Jacques Le Roux > Fix For: Release Branch 9.04, SVN trunk > > > I found this one in error.log on demo server > 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file > 2 cases > <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> > <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-2332) searchorders security related error
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-2332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-2332. ---------------------------------- Resolution: Fixed Assignee: Jacques Le Roux This has been fixed in both trunk and R9.04 > searchorders security related error > ----------------------------------- > > Key: OFBIZ-2332 > URL: https://issues.apache.org/jira/browse/OFBIZ-2332 > Project: OFBiz > Issue Type: Sub-task > Components: order > Affects Versions: Release Branch 9.04, SVN trunk > Reporter: Jacques Le Roux > Assignee: Jacques Le Roux > Fix For: Release Branch 9.04, SVN trunk > > > I found this one in error.log on demo server > 2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file > 2 cases > <a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a> > <a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a> -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |