Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@geronimo.apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
  s=dk20050327; d=earthlink.net;
  b=MIYHge2qBLCfkzlGsQrfB0g6O5kX6FdUYUSE14BD6Z92uALgh0G4eygbLjBe6ui2;
  h=Received:Message-ID:Date:From:User-Agent:X-Accept-Language:MIME-Version:To:Subject:References:In-Reply-To:Content-Type:Content-Transfer-Encoding:X-ELNK-Trace:X-Originating-IP;
Message-ID: <43CE53F8.7060903@earthlink.net>
Date: Wed, 18 Jan 2006 09:43:04 -0500
From: Joe Bohn <joe.bohn@earthlink.net>
User-Agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)
MIME-Version: 1.0
To: dev@geronimo.apache.org
Subject: Re: Fw: geronimo 1.0 - CSS vulnerabilities
References: <20060117012311.20c39726@doubleshadow.eilebrecht.net>
	 <1b5bfeb50601170147y15e4bc08g@mail.gmail.com>
	 <1137504485.7312.3.camel@localhost>
	 <1b5bfeb50601170624r10609a43h@mail.gmail.com>
	 <43CD0113.9080807@earthlink.net>
	 <c278ac970601170720u71c9eb77vf30a5a067e1846fc@mail.gmail.com>
	 <43CD0F76.5040603@earthlink.net>
 <21df75940601170759m3eb0f1edw1838e8074dff2455@mail.gmail.com>
 <43CD68A2.6020100@gmail.com> <43CDA79B.3000302@hogstrom.org>
In-Reply-To: <43CDA79B.3000302@hogstrom.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I had an off-line discussion with Paul McMahan on this topic.

Our thoughts were that it is probably best to fix this problem in both 
places if possible.  The container fix seems best for not only the 
console but also other uses ... but it is outside of our control and may 
not be accepted by all containers we might support.  Hence, Paul is 
working on a solution for the portlet itself.  We will continue to 
pursue this with the container teams as well but we will ensure the 
safety for 1.0.1 in our portlet.

Joe

Matt Hogstrom wrote:
> I think the Portlet is the right place to do this.  That way the user is 
> protected from broken containers (of which we currently have 2).
> 
> John Sisson wrote:
> 
>> Paul McMahan wrote:
>>
>>> Either approach should work but I would prefer to address the 
>>> vulnerability in the log viewer portlet because it attaches the 
>>> solution closest to where the specific problem is at.  Also, the 
>>> logger will be called on every request and doing the extra string 
>>> manipulations could affect the web container's throughput.
>>>
>>> Best wishes,
>>> Paul
>>>
>> This reflects my sentiments as well.
>>
>> John
>>
>>>
>>> On 1/17/06, *Joe Bohn* <joe.bohn@earthlink.net 
>>> <mailto:joe.bohn@earthlink.net>> wrote:
>>>
>>>     Yes, this sounds like the best way to go.
>>>
>>>     Regarding the specific problem with the web console displaying 
>>> the web
>>>     access log I'd like to get some consensus.  Is this something 
>>> that the
>>>     containers should modify when storing the URL as part of a 
>>> message in
>>>     the appropriate web log?  (I have confirmed this is a problem with
>>>     both
>>>     Tomcat and Jetty)
>>>
>>>     Or, should we address this within the web access log viewer and/or
>>>     management objects to modify the content of the log records when 
>>> they
>>>     are being displayed.
>>>
>>>     My preference would be to make the modification at the time the log
>>>     record is created.
>>>
>>>     Joe
>>>
>>>
>>
>>
>>
>>
>>
> 
> 

-- 
Joe Bohn
joe.bohn at earthlink.net

"He is no fool who gives what he cannot keep, to gain what he cannot 
lose."   -- Jim Elliot