OFBiz OFBiz - Commits

svn commit: r757316 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
jonesde
Reply | Threaded
Open this post in threaded view
|

svn commit: r757316 - /ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

jonesde
Author: jonesde
Date: Mon Mar 23 04:40:23 2009
New Revision: 757316

URL: http://svn.apache.org/viewvc?rev=757316&view=rev
Log:
Changed back to throw an exception when a non-body parameter is passed to a secure request that calls a service as an event; now that we have the Form Widget and form defs fixed up to handle these better it should be fine for most things, but chances are there are some links in FTL files that will still be broken and will need to be manually fixed; with this we can look forward to more issues and questions/comments on the mailing list, but this also makes it a lot more secure and pretty difficult to spoof one of these requests (will have to hack HTTPS and encrypt the body to do so)

Modified:
    ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java

Modified: ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java
URL: http://svn.apache.org/viewvc/ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java?rev=757316&r1=757315&r2=757316&view=diff
==============================================================================
--- ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java (original)
+++ ofbiz/trunk/framework/webapp/src/org/ofbiz/webapp/event/ServiceEventHandler.java Mon Mar 23 04:40:23 2009
@@ -268,8 +268,9 @@
                     if (requestMap != null && requestMap.securityHttps) {
                         if (urlOnlyParameterNames.contains(name)) {
                             String errMsg = "Found URL parameter [" + name + "] passed to secure (https) request-map with uri [" + requestMap.uri + "] with an event that calls service [" + serviceName + "]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body instead of the request URL.";
-                            Debug.logWarning("=============== " + errMsg, module);
-                            // TODO: restore this once more issues with existing links, like Delete links in forms, are resolved, for now just log warnings: throw new EventHandlerException(errMsg);
+                            Debug.logError("=============== " + errMsg + "; In session [" + session.getId() + "]", module);
+                            // NOTE: this forces service call event parameters to be in the body and not in the URL! can be issues with existing links, like Delete links or whatever, and those need to be changed to forms!
+                            throw new EventHandlerException(errMsg);
                         }
                         // NOTTODO: may want to allow parameters that map to entity PK fields to be in the URL, but that might be a big security hole since there are certain security sensitive entities that are made of only PK fields, or that only need PK fields to function (like UserLoginSecurityGroup)
                         // NOTTODO: we could allow URL parameters when it is not a POST (ie when !request.getMethod().equalsIgnoreCase("POST")), but that would open a security hole where sensitive parameters can be passed on the URL in a GET/etc and bypass this security constraint


Free forum by Nabble Edit this page