activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hiram Chirino (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (APLO-250) add_user_header should prevent forging
Date Mon, 27 Aug 2012 14:46:08 GMT

     [ https://issues.apache.org/jira/browse/APLO-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Hiram Chirino resolved APLO-250.
--------------------------------

    Resolution: Fixed

The header will now always be updated to avoid forging.  Fix is the following build:

https://builds.apache.org/job/ActiveMQ-Apollo-Deploy/291/console
                
> add_user_header should prevent forging
> --------------------------------------
>
>                 Key: APLO-250
>                 URL: https://issues.apache.org/jira/browse/APLO-250
>             Project: ActiveMQ Apollo
>          Issue Type: Improvement
>          Components: apollo-stomp
>         Environment: apollo-99-trunk-20120827.123709-100
>            Reporter: Lionel Cons
>            Assignee: Hiram Chirino
>             Fix For: 1.5
>
>
> add_user_header currently adds or overwrites the specified header if the corresponding
principal exists. If the principal is not present, it does nothing.
> This opens for forgeries since the sent message may contain a header with the same name
and, if the principal is missing, Apollo will leave it there. By examining the message, there
is no way to know if the header has been set by the sender or by Apollo.
> IMHO it would be safer for Apollo to remove the header in case the corresponding principal
is not present.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message