Details
-
Sub-task
-
Status: Closed
-
Major
-
Resolution: Fixed
-
Release Branch 09.04, Trunk
-
None
-
Bug Crush Event - 21/2/2015
Description
I found this one in error.log on demo server
2009-04-19 16:10:30,520 (TP-Processor17) [ServiceEventHandler.java:399:ERROR] =============== Found URL parameter [partyId] passed to secure (https) request-map with uri [searchorders] with an event that calls service [findOrders]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL.; In session [DF1819F1BFDCDFE831FD1ED3B5B2FE88.jvm1]; Note that this can be changed using the service.http.parameters.require.encrypted property in the url.properties file
2 cases
<a href="<@ofbizUrl>/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyId}&viewIndex=1&viewSize=20</@ofbizUrl>" class="buttontext">${uiLabelMap.OrderOtherOrders}</a>
<a href="/ordermgr/control/searchorders?lookupFlag=Y&hideFields=Y&partyId=${partyRow.partyId + externalKeyParam}&viewIndex=1&viewSize=20">${uiLabelMap.OrderOrders}</a>