karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Updated] (KARAF-4208) Poor Error Handling: Empty Catch Block
Date Tue, 15 Dec 2015 16:11:46 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jean-Baptiste Onofré updated KARAF-4208:
----------------------------------------
    Description: 
HP Fortify SCA and SciTools Understand were used to perform an application security analysis
of the karaf source code.

The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which
could cause the program to overlook unexpected states and conditions. In this case an authentication
has failed and the attempt to respond to the client and  let them know has also failed. The
comment indicates that nothing can be done about the problem but the issue should be logged
for further investigation or forensics purposes.

File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215

JaasSecurityProvider.java, lines 207-218:
{code}
207 // request authentication
208 try
209 {
210     response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\""
+ this.realm + "\"" );
211     response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212     response.setContentLength( 0 );
213     response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217     // failed sending the response ... cannot do anything about it
218 }
{code}

  was:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis
of the karaf source code.

The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which
could cause the program to overlook unexpected states and conditions. In this case an authentication
has failed and the attempt to respond to the client and  let them know has also failed. The
comment indicates that nothing can be done about the problem but the issue should be logged
for further investigation or forensics purposes.

File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215

JaasSecurityProvider.java, lines 207-218:
207 // request authentication
208 try
209 {
210     response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\""
+ this.realm + "\"" );
211     response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212     response.setContentLength( 0 );
213     response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217     // failed sending the response ... cannot do anything about it
218 }


> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
>                 Key: KARAF-4208
>                 URL: https://issues.apache.org/jira/browse/KARAF-4208
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis
of the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215,
which could cause the program to overlook unexpected states and conditions. In this case an
authentication has failed and the attempt to respond to the client and  let them know has
also failed. The comment indicates that nothing can be done about the problem but the issue
should be logged for further investigation or forensics purposes.
> File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 215
> JaasSecurityProvider.java, lines 207-218:
> {code}
> 207 // request authentication
> 208 try
> 209 {
> 210     response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + "
realm=\"" + this.realm + "\"" );
> 211     response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
> 212     response.setContentLength( 0 );
> 213     response.flushBuffer();
> 214 }
> 215 catch ( IOException ioe )
> 216 {
> 217     // failed sending the response ... cannot do anything about it
> 218 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message