View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0003155 | OXID eShop (all versions) | 4.07. Source code, Test | public | 2011-08-18 15:01 | 2012-12-10 13:44 |
| Reporter | Holger Kohnen | Assigned To | |||
| Priority | high | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Platform | 64bit | OS | Ubuntu/Linux | OS Version | 11.04 |
| Product Version | 4.5.0 revision 34568 | ||||
| Fixed in Version | 4.5.2 revision 38481 | ||||
| Summary | 0003155: oxConfig::getInstance()->getParameter return no GET-Params if request-method is post | ||||
| Description | Sometimes you need to configure shop urls in external systems which request the shop via POST-Method. If you configure the url like this: http://myshop.com/index.php?cl=my_feedback_handler the my_feedback_handler view is never instantiated because getParameter returns nothing for 'cl'. This could be easy to fixed in the getParameter method of oxconfig. | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
| related to | 0003033 | resolved | Linas Kukulskis | android makes redirects with post instead get (I guess) |
|
|
@developers: please, investigate |
|
|
if you want to put parameters via post put them not to form action o put them like form elements for example: <form action="http://myshop.com/index.php" method="post"> <input type="hidden" name="cl" value="register"> <input type="submit" value="submit"> </form> |
|
|
Sorry this is not resolved. @linas thanks for your hint, but the problem is with external systems - like payment providers, where you can configure a shop url which is invoked via POST on payment status changes, and you can't tell them to add an additional cl-param. |
|
|
i think this is kind of a security feature of OXID, this shoudn't be "fixed" as it is not a bug in particular. Solution for your issue: You can register a SEO-URL in Admin for "myshop.com/index.php?cl=myfeedbackhandler" so you have myshop.com/myfeedbackhandler/ This URL you give to your payment provider and the post can be invoked on this url. This should fix your problem. |
|
|
yes, this type of fix is possible, but it should not be necessary to define a seo url for a backend system. i do not understand the security feature - if a black hat want's to make a param attack, he can use either POST or GET params, i don't think that an attack exists which requires to send POST and GET. |
|
|
You could overwrite POST Params via GET or vice versa. This would make for example phishing easier as you could Fake a "trustworthy url" for the users eye but do something else in background via the overwrite mechanism. |
|
|
no, you just have to prioritize the GET params, then something like that is not possible, because what the user sees in the url has the priority. PHP does the same: http://de3.php.net/manual/en/ini.core.php#ini.variables-order Once again, the problem is not that there are no solutions, the problem is that the current implementation is counter-intuitive, and so costs developer time. I have seen many developers that trapped in that pit fall. They say/think: "i can use getParameter to get GET data and POST data" So it is an unified access is possible, which is a good thing. But that you cannot access GET data in POST request is just wrong. That is not the way a Webdeveloper thinks. |
|
|
I don't want to have a debate on principles here :) i think the oxid developers should priorize for themselves. |
|
|
This Problem is familiar with that android order problem: https://bugs.oxid-esales.com/view.php?id=3100 |
|
|
fixed: reading GET and POST params in a mutually unrestrictive way, with POST parameter overriding GET parameter in case both are set. |
