portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joachim Müller <joac...@wemove.com>
Subject Security Issue: pipeline can be set via request parameter
Date Tue, 21 Oct 2008 12:06:22 GMT

I found a possible security related issue. In JetspeedEngine.service()
the pipeline can be set via several options:

- Path
- request attribute
- request parameter via "pipeline" parameter in the URL

The option "path" is checked against the "pipeline-map" defined in
pipeline.xml, but the other options are not. Especially the option
"request parameter" can produce be a security issue, because all defined
pipelines can be triggered!!!

I currently have a patch available to check the option "request
parameter" also against the "pipeline-map". Before creating an JIRA
issue I have some questions:

1.) Is the option "request parameter" still used anywhere? My quick
check turned out that is is not.

2.) Does the proposed patch influences any functionality?

The option "request attribute" for instance must not be checked against
the "pipeline-map" because the login process set the pipeline to a value
that is not part of the "pipeline-map". If the option "request
parameter" is used in the same way than the check against the
pipeline-map" is not possible.

Best regards,
Joachim Müller

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message