Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-2330 Main task for securing URLs in Freemarker templates files
  3. OFBIZ-9804

Link in verification email for Newsletter gives security error

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Release Branch 16.11, Trunk
    • Fix Version/s: 18.12.01, 17.12.01
    • Component/s: ecommerce
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Steps to generate:
      1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main
      2. In "Sign Up For Contact List" panel from the left menu, select Newsletter, provide email and click on subscribe button.(Here you should have email configuration to receive email)
      3. Click on the verification link in the email.
      It gives following error message

      The Following Errors Occurred:

      Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException: Found URL parameter [contactListId] passed to secure (https) request-map with uri [updateContactListPartyNoUserLogin] with an event that calls service [updateContactListPartyNoUserLogin]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices Thank you in advance for your help.

      Try with the trunk link:
      https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010

      Stable 16 link:
      https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010

        Attachments

        1. screenshot-1.png
          306 kB
          Aditya Sharma

          Activity

            People

            • Assignee:
              jleroux Jacques Le Roux
              Reporter:
              adityasharma Aditya Sharma
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: