OFBiz OFBiz - Commits

svn commit: r751510 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jonesde
Reply | Threaded
Open this post in threaded view
|

svn commit: r751510 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

jonesde
Author: jonesde
Date: Sun Mar  8 19:48:00 2009
New Revision: 751510

URL: http://svn.apache.org/viewvc?rev=751510&view=rev
Log:
Added comment about GET vs POST in this case; all requests that have events that call services should use POST with body parameters

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=751510&r1=751509&r2=751510&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Sun Mar  8 19:48:00 2009
@@ -41,6 +41,7 @@
 import org.apache.commons.fileupload.disk.DiskFileItemFactory;
 import org.apache.commons.fileupload.servlet.ServletFileUpload;
 import org.ofbiz.base.util.Debug;
+import org.ofbiz.base.util.UtilGenerics;
 import org.ofbiz.base.util.UtilHttp;
 import org.ofbiz.base.util.UtilProperties;
 import org.ofbiz.base.util.UtilValidate;
@@ -164,7 +165,7 @@
 
             List<FileItem> uploadedItems = null;
             try {
-                uploadedItems = upload.parseRequest(request);
+                uploadedItems = UtilGenerics.<FileItem>checkList(upload.parseRequest(request));
             } catch (FileUploadException e) {
                 throw new EventHandlerException("Problems reading uploaded data", e);
             }
@@ -270,7 +271,8 @@
                             Debug.logWarning(errMsg, module);
                             throw new EventHandlerException(errMsg);
                         }
-                        // TODO: may want to allow parameters that map to entity PK fields to be in the URL, but that might be a big security hole since there are certain security sensitive entities that are made of only PK fields, or that only need PK fields to function (like UserLoginSecurityGroup)
+                        // NOTTODO: may want to allow parameters that map to entity PK fields to be in the URL, but that might be a big security hole since there are certain security sensitive entities that are made of only PK fields, or that only need PK fields to function (like UserLoginSecurityGroup)
+                        // NOTTODO: we could allow URL parameters when it is not a POST (ie when !request.getMethod().equalsIgnoreCase("POST")), but that would open a security hole where sensitive parameters can be passed on the URL in a GET/etc and bypass this security constraint
                     }
                     
                     // use the rawParametersMap from UtilHttp in order to also get pathInfo parameters, do canonicalization, etc


Free forum by Nabble Edit this page