Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-2330 Main task for securing URLs in Freemarker templates files
  3. OFBIZ-9804

Link in verification email for Newsletter gives security error

    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Release Branch 16.11, Trunk
    • 17.12.01, 18.12.01, 18.12.14
    • ecommerce
    • None
    • Bug Crush Event - 21/2/2015

    Description

      Steps to generate:
      1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
      2. In "Sign Up For Contact List" panel from the left menu, select Newsletter, provide email and click on subscribe button.(Here you should have email configuration to receive email)
      3. Click on the verification link in the email.
      It gives following error message

      The Following Errors Occurred:

      Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException: Found URL parameter [contactListId] passed to secure (https) request-map with uri [updateContactListPartyNoUserLogin] with an event that calls service [updateContactListPartyNoUserLogin]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices Thank you in advance for your help.

      Try with the trunk link:
      https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010

      Stable 16 link:
      https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010

      Attachments

        1. screenshot-1.png
          306 kB
          Aditya Sharma

        Activity

          People

            jleroux Jacques Le Roux
            adityasharma Aditya Sharma
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: