Author: jonesde
Date: Sun Mar 8 19:48:00 2009
New Revision: 751510
URL:
http://svn.apache.org/viewvc?rev=751510&view=revLog:
Added comment about GET vs POST in this case; all requests that have events that call services should use POST with body parameters
Modified:
ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL:
http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=751510&r1=751509&r2=751510&view=diff==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Sun Mar 8 19:48:00 2009
@@ -41,6 +41,7 @@
import org.apache.commons.fileupload.disk.DiskFileItemFactory;
import org.apache.commons.fileupload.servlet.ServletFileUpload;
import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilGenerics;
import org.ofbiz.base.util.UtilHttp;
import org.ofbiz.base.util.UtilProperties;
import org.ofbiz.base.util.UtilValidate;
@@ -164,7 +165,7 @@
List<FileItem> uploadedItems = null;
try {
- uploadedItems = upload.parseRequest(request);
+ uploadedItems = UtilGenerics.<FileItem>checkList(upload.parseRequest(request));
} catch (FileUploadException e) {
throw new EventHandlerException("Problems reading uploaded data", e);
}
@@ -270,7 +271,8 @@
Debug.logWarning(errMsg, module);
throw new EventHandlerException(errMsg);
}
- // TODO: may want to allow parameters that map to entity PK fields to be in the URL, but that might be a big security hole since there are certain security sensitive entities that are made of only PK fields, or that only need PK fields to function (like UserLoginSecurityGroup)
+ // NOTTODO: may want to allow parameters that map to entity PK fields to be in the URL, but that might be a big security hole since there are certain security sensitive entities that are made of only PK fields, or that only need PK fields to function (like UserLoginSecurityGroup)
+ // NOTTODO: we could allow URL parameters when it is not a POST (ie when !request.getMethod().equalsIgnoreCase("POST")), but that would open a security hole where sensitive parameters can be passed on the URL in a GET/etc and bypass this security constraint
}
// use the rawParametersMap from UtilHttp in order to also get pathInfo parameters, do canonicalization, etc