karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KARAF-4208) Poor Error Handling: Empty Catch Block
Date Thu, 20 Oct 2016 19:38:58 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Guillaume Nodet updated KARAF-4208:
-----------------------------------
    Fix Version/s:     (was: 4.0.8)
                       (was: 4.1.0)

> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
>                 Key: KARAF-4208
>                 URL: https://issues.apache.org/jira/browse/KARAF-4208
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis
of the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215,
which could cause the program to overlook unexpected states and conditions. In this case an
authentication has failed and the attempt to respond to the client and  let them know has
also failed. The comment indicates that nothing can be done about the problem but the issue
should be logged for further investigation or forensics purposes.
> File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 215
> JaasSecurityProvider.java, lines 207-218:
> {code}
> 207 // request authentication
> 208 try
> 209 {
> 210     response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + "
realm=\"" + this.realm + "\"" );
> 211     response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
> 212     response.setContentLength( 0 );
> 213     response.flushBuffer();
> 214 }
> 215 catch ( IOException ioe )
> 216 {
> 217     // failed sending the response ... cannot do anything about it
> 218 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message