Secure targets in widget forms
------------------------------
Key: OFBIZ-2449
URL: https://issues.apache.org/jira/browse/OFBIZ-2449
Project: OFBiz
Issue Type: Sub-task
Components: ALL COMPONENTS
Affects Versions: Release Branch 9.04, SVN trunk
Reporter: Jacques Le Roux
Fix For: Release Branch 9.04, SVN trunk
We have also targets with params in URL in forms, despite it's already using
POST action
Look for <<form(.*)target=(.*)\?(.*)=(.*)>> (24 instances) and
<<form(.*)\R(.*)target=(.*)\?(.*)=(.*)>> ( 23 instances) in *form*.xml.
An easy example to use is ListPhysicalInventory.
So we should extend the param-name scheme to forms widget also.
Maybe some targets are not calling services and so are not real threats (no
changes possible in DB). But we have already chosen to change all hyperlinks in
the same case and not to try to filter them.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
