Hi Jacques, In a small way it does hurt because whenever we use "post" instead of "get" the user will be prompted "do you want to submit the form again?" when they click the back button on the browser to go back to one of those screens.
But yeah I wouldn't rely on searching alone unless you are willing to check each target before altering it. Regards Scott On 7/06/2010, at 7:44 PM, Jacques Le Roux wrote: > I quickly used regex S/R. I wrongly put the 2 orderview (I removed a lot > more) but thought the other were real actions as they have Edit as prefix in > their names. Actually I did not check if they were calling an event. I just > did and you are right. > > Anyway it does not hurt, and it's finally a good thing that I did not find > any real issues :o). I think I should not care anymore. Because if we let > some get through they will be detected and signaled as to be reported as a > child of OFBIZ-2330 (even if they don't use FTL, but I did not check that > either, I suppose it's right since for one year now we got any new issue) > > One worry less, great! > > Jacques > > Scott Gray wrote: >> On second look there were no targets in this commit that needed to be >> secured. >> >> Regards >> Scott >> >> On 7/06/2010, at 7:18 PM, Scott Gray wrote: >> >>> Quite a few of those links don't actually look like they needed to be >>> secured i.e. there is no event attached to that uri, >>> orderview for example. >>> >>> Regards >>> Scott >>> >>> HotWax Media >>> http://www.hotwaxmedia.com >>> >>> On 7/06/2010, at 7:02 PM, jler...@apache.org wrote: >>> >>>> Author: jleroux >>>> Date: Mon Jun 7 07:02:02 2010 >>>> New Revision: 952119 >>>> >>>> URL: http://svn.apache.org/viewvc?rev=952119&view=rev >>>> Log: >>>> Secure some targets. Note that they have been introduced since OFBIZ-2243 >>>> has been closed. >>>> Please committers use only target with parameter attribute (not in URL) >>>> for link and hyperlink fields when there is an action >>>> (ie DB modification) >>>> >>>> Modified: >>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>> >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>> >>>> Modified: ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml (original) +++ >>>> ofbiz/trunk/applications/accounting/widget/InvoiceForms.xml Mon Jun 7 >>>> 07:02:02 2010 @@ -215,7 +215,12 @@ under the License. >>>> <field name="paymentId"><hyperlink >>>> target="paymentOverview?paymentId=${paymentId}" >>>> description="${paymentId}"/></field> >>>> <field name="amount"><display type="currency" >>>> currency="${currencyUomId}"/></field> >>>> <field name="origAmount"><display type="currency" >>>> currency="${origCurrencyUomId}"/></field> >>>> - <field name="acctgTransId"><hyperlink >>>> description="${acctgTransId}" >>>> target="EditAcctgTrans?acctgTransId=${acctgTransId}&organizationPartyId=${organizationPartyId}"/></field> >>>> + <field >>>> name="acctgTransId"> + <hyperlink description="${acctgTransId}" >>>> target="EditAcctgTrans"> >>>> + <parameter param-name="acctgTransId" >>>> from-field="acctgTransId"/> >>>> + <parameter param-name="organizationPartyId" >>>> from-field="organizationPartyId"/> >>>> + </hyperlink> >>>> + </field> >>>> <field name="acctgTransTypeId" >>>> title="${uiLabelMap.FormFieldTitle_acctgTransType}"><display-entity >>>> entity-name="AcctgTransType"/></field> <field name="glJournalId" >>>> title="${uiLabelMap.FormFieldTitle_glJournal}"><display-entity >>>> entity-name="GlJournal" >>>> description="${glJournalName}"/></field> <field name="glAccountTypeId" >>>> title="${uiLabelMap.FormFieldTitle_glAccountType}"><display-entity >>>> entity-name="GlAccountType"/></field> >>>> >>>> Modified: >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>> (original) +++ >>>> ofbiz/trunk/applications/accounting/widget/PaymentGatewayConfigForms.xml >>>> Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ under the >>>> License. <auto-fields-entity entity-name="PaymentGatewayConfig" >>>> default-field-type="display"/> >>>> <field name="paymentGatewayConfigId"><hidden/></field> >>>> <field name="description" >>>> title="${uiLabelMap.AccountingPaymentGatewayConfigDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditPaymentGatewayConfig?paymentGatewayConfigId=${paymentGatewayConfigId}"/> >>>> + <hyperlink >>>> description="${description}" target="EditPaymentGatewayConfig"> + >>>> <parameter param-name="paymentGatewayConfigId" >>>> from-field="paymentGatewayConfigId"/> + </hyperlink> >>>> </field> >>>> <field name="paymentGatewayConfigTypeId" >>>> title="${uiLabelMap.AccountingPaymentGatewayConfigTypeId}"> >>>> <display-entity entity-name="PaymentGatewayConfigType" >>>> key-field-name="paymentGatewayConfigTypeId" >>>> description="${description}"/> @@ -385,7 +387,9 @@ under the License. >>>> <auto-fields-entity entity-name="PaymentGatewayConfigType" >>>> default-field-type="display"/> >>>> <field name="paymentGatewayConfigTypeId"><hidden/></field> >>>> <field name="description" >>>> title="${uiLabelMap.AccountingPaymentGatewayConfigTypeDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditPaymentGatewayConfigType?paymentGatewayConfigTypeId=${paymentGatewayConfigTypeId}"/> >>>> + <hyperlink >>>> description="${description}" target="EditPaymentGatewayConfigType"> + >>>> <parameter param-name="paymentGatewayConfigTypeId" >>>> from-field="paymentGatewayConfigTypeId"/> + </hyperlink> >>>> </field> >>>> </form> >>>> >>>> >>>> Modified: >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml >>>> (original) +++ >>>> ofbiz/trunk/applications/order/widget/ordermgr/OrderEntryForms.xml Mon Jun >>>> 7 07:02:02 2010 @@ -199,7 +199,9 @@ under the >>>> License. <form name="LookupAssociatedProducts" type="multi" >>>> use-row-submit="true" list-name="productList" title="" >>>> target="BulkAddProducts" paginate-target="LookupAssociatedProducts" >>>> default-title-style="tableheadtext" >>>> default-widget-style="inputBox" default-tooltip-style="tabletext"> >>>> <field name="productId" >>>> title="${uiLabelMap.ProductProductId}" widget-style="buttontext"> - >>>> <hyperlink description="${productId}" >>>> target="/catalog/control/EditProductInventoryItems?productId=${productId}" >>>> target-type="inter-app"/> + <hyperlink >>>> description="${productId}" >>>> target="/catalog/control/EditProductInventoryItems" >>>> target-type="inter-app"> + <parameter >>>> param-name="productId" from-field="productId"/> + </hyperlink> >>>> </field> >>>> <field name="brandName" >>>> title="${uiLabelMap.ProductBrandName}"><display/></field> >>>> <field name="internalName"><display/></field> >>>> >>>> Modified: >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>> (original) +++ >>>> ofbiz/trunk/applications/party/widget/partymgr/CommunicationEventForms.xml >>>> Mon Jun 7 07:02:02 2010 @@ -287,7 +287,9 @@ under >>>> the License. <field name="communicationEventId"><display/></field> >>>> <field name="contactListId" use-when="contactListId!=null"> >>>> <display-entity entity-name="ContactList" >>>> description="${contactListName}"> >>>> - <sub-hyperlink >>>> target="/marketing/control/EditContactList?contactListId=${communicationEvent.contactListId}" >>>> description="[${communicationEvent.contactListId}]" >>>> target-type="inter-app"/> + <sub-hyperlink >>>> target="/marketing/control/EditContactList" >>>> description="[${communicationEvent.contactListId}]" >>>> target-type="inter-app"> + >>>> <parameter param-name="contactListId" >>>> from-field="communicationEvent.contactListId"/> + >>>> </sub-hyperlink> >>>> </display-entity> >>>> </field> >>>> <field name="partyIdFrom" use-when=""my"==void" >>>> title="${uiLabelMap.PartyPartyFrom}"> >>>> @@ -470,7 +472,9 @@ under the License. >>>> </service> >>>> </actions> >>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}"> >>>> - <hyperlink >>>> target="/ordermgr/control/orderview?orderId=${orderId}" >>>> description="${orderId}" >>>> target-type="inter-app"/> + <hyperlink >>>> target="/ordermgr/control/orderview" description="${orderId}" >>>> target-type="inter-app"> + <parameter param-name="orderId" >>>> from-field="orderId"/> >>>> + </hyperlink> >>>> </field> >>>> <field name="communicationEventId"> >>>> <hyperlink description="${communicationEventId}" >>>> target="ViewCommunicationEvent"> >>>> @@ -1022,7 +1026,9 @@ under the License. >>>> <set field="orderTypeId" from-field="orderHeader.orderTypeId"/> >>>> </row-actions> >>>> <field name="orderId" title="${uiLabelMap.FormFieldTitle_orderId}" >>>> widget-style="buttontext"> >>>> - <hyperlink >>>> target="/ordermgr/control/orderview?orderId=${orderId}" >>>> description="${orderId}" >>>> target-type="inter-app"/> + <hyperlink >>>> target="/ordermgr/control/orderview" description="${orderId}" >>>> target-type="inter-app"> + <parameter param-name="orderId" >>>> from-field="orderId"/> >>>> + </hyperlink> >>>> </field> >>>> <field name="communicationEventId"><hidden/></field> >>>> <field name="orderTypeId" title="${uiLabelMap.OrderOrderType}"> >>>> >>>> Modified: ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml >>>> (original) +++ >>>> ofbiz/trunk/applications/product/widget/catalog/ProductForms.xml Mon Jun >>>> 7 07:02:02 2010 @@ -1997,7 +1997,9 @@ under the >>>> License. >>>> >>>> <form name="ListCommEvents" list-name="communicationEvents" type="list" >>>> header-row-style="header-row" >>>> default-table-style="basic-table"> <field >>>> name="communicationEventId" widget-style="buttontext"> >>>> - <hyperlink description="${communicationEventId}" >>>> target="/partymgr/control/EditCommunicationEvent?communicationEventId=${communicationEventId}" >>>> target-type="inter-app"/> + >>>> <hyperlink description="${communicationEventId}" >>>> target="/partymgr/control/EditCommunicationEvent" target-type="inter-app"> >>>> + >>>> <parameter param-name="communicationEventId" >>>> from-field="communicationEventId"/> + </hyperlink> >>>> </field> >>>> <field name="subject"><display/></field> >>>> <field name="communicationEventTypeId"><display-entity >>>> description="${description}" entity-name="CommunicationEventType" >>>> key-field-name="communicationEventTypeId"/></field> >>>> >>>> Modified: >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>> (original) +++ >>>> ofbiz/trunk/applications/product/widget/facility/ShipmentGatewayConfigForms.xml >>>> Mon Jun 7 07:02:02 2010 @@ -50,7 +50,9 @@ >>>> under the License. <auto-fields-entity >>>> entity-name="ShipmentGatewayConfig" default-field-type="display"/> >>>> <field name="shipmentGatewayConfigId"><hidden/></field> >>>> <field name="description" >>>> title="${uiLabelMap.FacilityShipmentGatewayConfigDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditShipmentGatewayConfig?shipmentGatewayConfigId=${shipmentGatewayConfigId}"/> >>>> + <hyperlink >>>> description="${description}" target="EditShipmentGatewayConfig"> + >>>> <parameter >>>> param-name="shipmentGatewayConfigId" >>>> from-field="shipmentGatewayConfigId"/> + </hyperlink> >>>> </field> >>>> <field name="shipmentGatewayConfTypeId" >>>> title="${uiLabelMap.FacilityShipmentGatewayConfigTypeId}"> >>>> <display-entity entity-name="ShipmentGatewayConfigType" >>>> key-field-name="shipmentGatewayConfTypeId" >>>> description="${description}"/> @@ -313,7 +315,9 @@ under the License. >>>> <auto-fields-entity entity-name="ShipmentGatewayConfigType" >>>> default-field-type="display"/> >>>> <field name="shipmentGatewayConfTypeId"><hidden/></field> >>>> <field name="description" >>>> title="${uiLabelMap.FacilityShipmentGatewayConfigTypeDescription}"> >>>> - <hyperlink description="${description}" >>>> target="EditShipmentGatewayConfigType?shipmentGatewayConfTypeId=${shipmentGatewayConfTypeId}"/> >>>> + <hyperlink >>>> description="${description}" target="EditShipmentGatewayConfigType"> + >>>> <parameter >>>> param-name="shipmentGatewayConfTypeId" >>>> from-field="shipmentGatewayConfTypeId"/> + </hyperlink> >>>> </field> >>>> </form> >>>> >>>> >>>> Modified: >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>> URL: >>>> http://svn.apache.org/viewvc/ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml?rev=952119&r1=952118&r2=952119&view=diff >>>> ============================================================================== >>>> --- >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml >>>> (original) +++ >>>> ofbiz/trunk/specialpurpose/projectmgr/widget/forms/ProjectForms.xml Mon >>>> Jun 7 07:02:02 2010 @@ -340,7 +340,9 @@ >>>> <field name="estimatedStartDate" >>>> title="${uiLabelMap.WorkEffortEstimatedStartDate}"><date-time >>>> type="date"/></field> >>>> <field name="estimatedCompletionDate" >>>> title="${uiLabelMap.WorkEffortEstimatedCompletionDate}"><date-time >>>> type="date"/></field> <field name="edit" title=" "> >>>> - <hyperlink target="EditTask?workEffortId=${workEffortId}" >>>> description="${uiLabelMap.CommonEdit}"/> >>>> + <hyperlink target="EditTask" >>>> description="${uiLabelMap.CommonEdit"}> >>>> + <parameter param-name="workEffortId" >>>> from-field="workEffortId}"/> >>>> + </hyperlink> >>>> </field> >>>> <field name="submitButton" >>>> title="${uiLabelMap.CommonUpdate}"><submit button-type="button"/></field> >>>> </form> > >
smime.p7s
Description: S/MIME cryptographic signature
