View Issue Details

IDProjectCategoryView StatusLast Update
0003155OXID eShop (all versions)4.07. Source code, Testpublic2012-12-10 13:44
ReporterHolger Kohnen 
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Platform64bitOSUbuntu/LinuxOS Version11.04
Product Version4.5.0 revision 34568 
Target VersionFixed in Version4.5.2 revision 38481 
Summary0003155: oxConfig::getInstance()->getParameter return no GET-Params if request-method is post
DescriptionSometimes you need to configure shop urls in external systems which request the shop via POST-Method. If you configure the url like this:

http://myshop.com/index.php?cl=my_feedback_handler

the my_feedback_handler view is never instantiated because getParameter returns nothing for 'cl'.

This could be easy to fixed in the getParameter method of oxconfig.

TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
Database Versionany

Relationships

related to 0003033 resolvedLinas Kukulskis android makes redirects with post instead get (I guess) 

Activities

birute_meilutyte

2011-08-19 09:35

reporter   ~0005065

@developers: please, investigate

Linas Kukulskis

2011-08-19 14:41

reporter   ~0005069

Last edited: 2011-08-19 14:48

View 2 revisions

if you want to put parameters via post put them not to form action o put them like form elements for example:
<form action="http://myshop.com/index.php" method="post">
    <input type="hidden" name="cl" value="register">
    <input type="submit" value="submit">
</form>

Holger Kohnen

2011-08-19 16:51

reporter   ~0005076

Sorry this is not resolved.

@linas thanks for your hint, but the problem is with external systems - like payment providers, where you can configure a shop url which is invoked via POST on payment status changes, and you can't tell them to add an additional cl-param.

csimon

2011-08-22 08:44

reporter   ~0005077

i think this is kind of a security feature of OXID, this shoudn't be "fixed" as it is not a bug in particular.

Solution for your issue: You can register a SEO-URL in Admin for "myshop.com/index.php?cl=myfeedbackhandler" so you have myshop.com/myfeedbackhandler/

This URL you give to your payment provider and the post can be invoked on this url. This should fix your problem.

Holger Kohnen

2011-08-22 08:53

reporter   ~0005078

yes, this type of fix is possible, but it should not be necessary to define a seo url for a backend system.

i do not understand the security feature - if a black hat want's to make a param attack, he can use either POST or GET params, i don't think that an attack exists which requires to send POST and GET.

csimon

2011-08-22 09:01

reporter   ~0005079

You could overwrite POST Params via GET or vice versa.

This would make for example phishing easier as you could Fake a "trustworthy url" for the users eye but do something else in background via the overwrite mechanism.

Holger Kohnen

2011-08-22 09:34

reporter   ~0005080

no, you just have to prioritize the GET params, then something like that is not possible, because what the user sees in the url has the priority.

PHP does the same:
http://de3.php.net/manual/en/ini.core.php#ini.variables-order

Once again, the problem is not that there are no solutions, the problem is that the current implementation is counter-intuitive, and so costs developer time. I have seen many developers that trapped in that pit fall. They say/think: "i can use getParameter to get GET data and POST data" So it is an unified access is possible, which is a good thing. But that you cannot access GET data in POST request is just wrong. That is not the way a Webdeveloper thinks.

csimon

2011-08-22 09:53

reporter   ~0005081

I don't want to have a debate on principles here :) i think the oxid developers should priorize for themselves.

mark

2011-08-22 14:06

reporter   ~0005082

This Problem is familiar with that android order problem:
https://bugs.oxid-esales.com/view.php?id=3100

Linas Kukulskis

2011-08-23 13:04

reporter   ~0005088

fixed: reading GET and POST params in a mutually unrestrictive way, with POST parameter overriding GET parameter in case both are set.