[
https://issues.apache.org/jira/browse/OFBIZ-2449?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jacques Le Roux closed OFBIZ-2449.
----------------------------------
Assignee: Jacques Le Roux
Fix Version/s: Release Branch 10.04
jQuery
Resolution: Not A Problem
I checked this is all mutli, upload (which are handled with hidden fields) or
events without services called.
I'm happy with that, it was a long standing issue and now I'm pretty sure there
are any issues of this type in OFBiz at all
I thing we should also close OFBIZ-1959 but I did not check into details...
> Secure targets in widget forms
> ------------------------------
>
> Key: OFBIZ-2449
> URL: https://issues.apache.org/jira/browse/OFBIZ-2449
> Project: OFBiz
> Issue Type: Sub-task
> Components: ALL COMPONENTS
> Affects Versions: Release Branch 09.04, SVN trunk
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Fix For: Release Branch 09.04, Release Branch 10.04, jQuery, SVN
> trunk
>
>
> We have also targets with params in URL in forms, despite it's already using
> POST action
> In *form*.xml look for
> {code}
> <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances)
> <<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances)
> {code}
> An easy example to use is ListPhysicalInventory.
> So we should extend the param-name scheme to forms widget also.
> Maybe some targets are not calling services and so are not real threats (no
> changes possible in DB). But we have already chosen to change all hyperlinks
> in the same case and not to try to filter them.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
