From notifications-return-29313-archive-asf-public=cust-asf.ponee.io@ofbiz.apache.org Sun Nov 10 10:08:02 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9DC1C180661 for ; Sun, 10 Nov 2019 11:08:02 +0100 (CET) Received: (qmail 67018 invoked by uid 500); 10 Nov 2019 10:08:02 -0000 Mailing-List: contact notifications-help@ofbiz.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@ofbiz.apache.org Delivered-To: mailing list notifications@ofbiz.apache.org Received: (qmail 67009 invoked by uid 99); 10 Nov 2019 10:08:01 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 10 Nov 2019 10:08:01 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id E8F7AE2F0E for ; Sun, 10 Nov 2019 10:08:00 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 243557804E1 for ; Sun, 10 Nov 2019 10:08:00 +0000 (UTC) Date: Sun, 10 Nov 2019 10:08:00 +0000 (UTC) From: "Jacques Le Roux (Jira)" To: notifications@ofbiz.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Closed] (OFBIZ-9804) Link in verification email for Newsletter gives security error MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OFBIZ-9804?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jacques Le Roux closed OFBIZ-9804. ---------------------------------- Fix Version/s: 18.12.01 17.12.01 Resolution: Fixed Fixed in trunk 045f97b R18 8a0ae589 R17 ff75d41c I changed ContactListEmailTemplate.ftl to also use GET. Because we dont' want a form to ask, but only to hide parameters. Handles the emails also in ecomseo after OFBIZ-11278 I have still to see why I get this message at the end of the process: "Invalid verify code for the New Product Announcements" ie when using the link in the last (3rd) email: "Subscribe Contact List New Product Announcements" This will be another Jira..! > Link in verification email for Newsletter gives security error > -------------------------------------------------------------- > > Key: OFBIZ-9804 > URL: https://issues.apache.org/jira/browse/OFBIZ-9804 > Project: OFBiz > Issue Type: Sub-task > Components: ecommerce > Affects Versions: Trunk, Release Branch 16.11 > Reporter: Aditya Sharma > Assignee: Jacques Le Roux > Priority: Major > Fix For: 17.12.01, 18.12.01 > > Attachments: screenshot-1.png > > > Steps to generate: > 1. Go to Ecommerce store https://localhost:8443/ecommerce/control/main > 2. In "Sign Up For Contact List" panel from the left menu, select Newsletter, provide email and click on subscribe button.(Here you should have email configuration to receive email) > 3. Click on the verification link in the email. > It gives following error message > {quote}The Following Errors Occurred: > Error calling event: org.apache.ofbiz.webapp.event.EventHandlerException: Found URL parameter [contactListId] passed to secure (https) request-map with uri [updateContactListPartyNoUserLogin] with an event that calls service [updateContactListPartyNoUserLogin]; this is not allowed for security reasons! The data should be encrypted by making it part of the request body (a form field) instead of the request URL. Moreover it would be kind if you could create a Jira sub-task of https://issues.apache.org/jira/browse/OFBIZ-2330 (check before if a sub-task for this error does not exist). If you are not sure how to create a Jira issue please have a look before at https://cwiki.apache.org/confluence/display/OFBIZ/OFBiz+Contributors+Best+Practices Thank you in advance for your help.{quote} > Try with the trunk link: > https://demo-trunk.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010 > Stable 16 link: > https://demo-stable.ofbiz.apache.org/ecommerce/control/updateContactListPartyNoUserLogin?contactListId=9000&partyId=_NA_&fromDate=2017-10-04%2010:48:46.531&statusId=CLPT_ACCEPTED&optInVerifyCode=9084207171&baseLocation=/ecommerce&preferredContactMechId=10010 -- This message was sent by Atlassian Jira (v8.3.4#803005)