Post by dragonfly-ie » Tue Jun 21, 2016 6:51 am

straightlight wrote:
dragonfly-ie wrote:@straightlight et al: Is there a fix to stop WARNING on front page with SSL?
The page at https://yoursite.com/ contains a form which targets an insecure URL http://yoursite.com/common/currency/currency.

line 41 index-page: <form action="http://yoursite.com/common/currency/currency" method="post" enctype="multipart/form-data" id="form-currency">
It has been known that the currency from forms may not redirect to its target due to a hidden input form which most of web providers these days may decline due to CSRF vulnerabilities. It is also not in common programming practice to generically assign a post URL as a hidden field from an HTML form to redirect the browser to another location.

I can, however, recommend the use of the CSRF protection form to see if that will solved the issue. It is also compatible over SSL but not yet tested on TLS encryption.

Contribution: http://www.opencart.com/index.php?route ... on_id=4773

Take note that this contribution does not reflect on any Opencart version since it is a globalized library. The only difference on its integration is with the new nowadays functionality of Opencart v2.2.0.0 and above into the framework but is still NOT an obligation to integrate it globally into your store as I do rather recommend that you initiate this library directly into your catalog/controller/common/currency.php file into the index() method. Then, as per my documentation indicates, to add the echo line right below the: <form tag line into your catalog/view/theme/<your_theme>/template/common/currency.tpl file.

Afterwards, clear out your cache navigation. Close the browser, re-open the browser and see if that solves the issue.

Thanks a lot for your concise explanation @straightlight

Considering the fact, cooperations pushing for TLS, I would be interested to see testing on TLS encryption before implementing your suggested changes.

Thx again.

“May the best day of your past be the worst day of your future.”


User avatar
New member

Posts

Joined
Sat Nov 09, 2013 2:31 am
Location - 52°N 7°37'W

Post by straightlight » Tue Jun 21, 2016 6:48 pm

By testing this contribution, there will be no impact; either the issue gets resolved or will either persists. If you don't feel confident on testing this contribution, then you will never know the results which, again, will not impact your store as all it will do is to sessionize this particular HTML form rather than public use from the same HTML form; especially practical when using hidden input fields for site redirection.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer / Opencart Tester


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by bonkopencart » Wed May 03, 2017 2:24 pm

I found these error when sending mail about voucher detail when voucher does not belong to an order..

in file: admin/model/sale/voucher.php
find:

Code: Select all

$data['text_greeting'] = sprintf($this->language->get('text_greeting'), $this->currency->format($voucher_info['amount'], $order_info['currency_code'], $order_info['currency_value']));
replace with:

Code: Select all

$data['text_greeting'] = sprintf($this->language->get('text_greeting'), $this->currency->format($voucher_info['amount'], $this->config->get('config_currency')));
I don't check any other event that may trigger this error yet.

New member

Posts

Joined
Fri Mar 24, 2017 1:53 pm
Who is online

Users browsing this forum: No registered users and 7 guests