Fiexd at r767102
Jacques
From: "Ashish Vijaywargiya" <ashish.vijaywarg...@hotwaxmedia.com>
Thanks David for your reply.
I am not worried about the nesting of one form with another.
I am thinking about the case when a form created in FTL has "Update" & "Delete" link (As I have both the option in my custom
form).
In your comment what do you mean by "but chances are there are some links in FTL files that will still be broken and will need to
be manually fixed;" ?
Does it mean that we may need to pass the values as hidden using <input> tag ?
If we do so then hidden values passed can be either used by "Update" or
"Delete".
Please take on the link I have referred in my previous email.
https://localhost:8443/catalog/control/EditCategoryParties?productCategoryId=CATALOG1
Here is the code snippet :
<td align="center">
<FORM method="post" action="<@ofbizUrl>updatePartyToCategory</@ofbizUrl>"
name="lineForm${line}">
<#assign hasExpired = false>
<#if (productCategoryRole.getTimestamp("thruDate"))?exists &&
(Static["org.ofbiz.base.util.UtilDateTime"].nowTimestamp().after(productCategoryRole.getTimestamp("thruDate")))> <#assign
hasExpired = true></#if>
<input type="hidden" name="productCategoryId"
value="${(productCategoryRole.productCategoryId)?if_exists}">
<input type="hidden" name="partyId"
value="${(productCategoryRole.partyId)?if_exists}">
<input type="hidden" name="roleTypeId"
value="${(productCategoryRole.roleTypeId)?if_exists}">
<input type="hidden" name="fromDate"
value="${(productCategoryRole.getTimestamp("fromDate"))?if_exists}">
<input type="text" size="25" name="thruDate" value="${(productCategoryRole.
getTimestamp("thruDate"))?if_exists}" <#if hasExpired> style="color: red;"</#if>>
<a href="javascript:call_cal(document.lineForm${line}.thruDate,
'${(productCategoryRole.getTimestamp("thruDate"))?default(nowTimestamp?string)}');"><img
src="<@ofbizContentUrl>/images/cal.gif</@ofbizContentUrl>" width="16" height="16" border="0" alt="Calendar"></a>
<INPUT type="submit" value="${uiLabelMap.CommonUpdate}"
style="font-size: x-small;">
</FORM>
</td>
<td align="center">
<a
href="<@ofbizUrl>removePartyFromCategory?productCategoryId=${(productCategoryRole.productCategoryId)?if_exists}&partyId=${(productCategoryRole.partyId)?if_exists}&roleTypeId=${(productCategoryRole.roleTypeId)?if_exists}&fromDate=${productCategoryRole.getString("fromDate")}</@ofbizUrl>"
class="buttontext">${uiLabelMap.CommonDelete}</a>
</td>
</tr>
When I clicks on the Delete link then it is giving following error :
The Following Errors Occurred:
Error calling event: org.ofbiz.webapp.event.EventHandlerException: Found URL parameter [productCategoryId] passed to secure
(https) request-map with uri [removePartyFromCategory] with an event that calls service [removePartyFromCategory]; this is not
allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the
request URL.
What should I do to solve this error ?
Thanks for your help in advance !
--
Ashish
David E Jones wrote:
I'm not sure I followed all of that... are you worried about having a form
nested within another form?
Yes, the forms will have to be outside the main form, but the links to those
forms can be inside the main form.
-David
On Apr 20, 2009, at 2:25 AM, Ashish Vijaywargiya wrote:
Hello David,
Below is your comments from rev no. 757316.
Changed back to throw an exception when a non-body parameter is passed to
a secure request that calls a service as an event; now that >>we have the
Form Widget and form defs fixed up to handle these better it should be fine
for most things, but chances are there are some >>links in FTL files that
will still be broken and will need to be manually fixed; with this we can
look forward to more issues and >>questions/comments on the mailing list,
but this also makes it a lot more secure and pretty difficult to spoof one
of these requests (will >>have to hack HTTPS and encrypt the body to do so)
Here you are saying that we may need to explicitly set the form values in
the FTL files. But how should we handle the case when we have "Delete" &
"Update" case on the list form that is build up using FTL file.
For Ex :
https://localhost:8443/catalog/control/EditCategoryParties?productCategoryId=CATALOG1
I have created form something similar to the above link but I am confused
how should I handle this case in which we have "Update" & "Delete" button.
It can be a stupid question but I tried my best to solve the problem
although didn't get success.
Thanks in advance for any help !
--
Ashish Vijaywargiya
On Sun, Apr 19, 2009 at 4:27 AM, David E Jones
<david.jo...@hotwaxmedia.com>wrote:
On Apr 18, 2009, at 4:48 AM, Jacques Le Roux wrote:
At
https://demo904.ofbiz.org/catalog/control/setUserPreference?userPrefGroupTypeId=GLOBAL_PREFERENCES&userPrefTypeId=COMPACT_HEADER&userPrefValue=Y
I get see this message.
Found URL parameter [userPrefTypeId] passed to secure (https) request-map
with uri [setUserPreference] with an event that calls service
[setUserPreference]; this is not allowed for security reasons! The data
should be encrypted by making it part of the request body (a form field)
instead of the request URL.
That particular is already fixed, and just hasn't updated yet.
I thought we gave up with this message (or just have it only in log?).
If a change had been made you would have seen it in the commit log... and
hopefully explicitly called out as such (it is unfortunate that we get so
many poorly written commit logs that don't even try to describe the changes
made...).
But I was just thinking about that yesterday and I think that we should
contunue to have it in trunk and not in 9.04. So we will be able to catch
them (before having a tool to list them all, I hope to work on that next
week) without disturbing 9.04 users
The main point of that error is to protect against XSRF attacks. Without
that error and not allowing the condition it checks there is nothing keeping
spoofed parameters from piggy-backing on a cloned encrypted request (or
caught and modified through a man-in-the-middle sort of attack).
Personally I'd rather see these fixed in both the release branch and in the
trunk, but if we get too many complaints about it in the release branch then
I'm totally fine disabling that constraint temporarily.
-David
