portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joachim Müller (JIRA) <jetspeed-...@portals.apache.org>
Subject [jira] Updated: (JS2-914) Possible security issue because pipline can be set by the "pipeline" request parameter.
Date Wed, 22 Oct 2008 08:36:46 GMT

     [ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Joachim Müller updated JS2-914:
-------------------------------

    Attachment: patch.JS2-914.diff

Patch to check request parameter "pipeline" against the values of "pipeline-map" defined in
assembly.

> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
>                 Key: JS2-914
>                 URL: https://issues.apache.org/jira/browse/JS2-914
>             Project: Jetspeed 2
>          Issue Type: Bug
>    Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
>            Reporter: Joachim Müller
>             Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
>         Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL 
> Especially the definition via the request parameter can be a security issue, because
this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every
defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed
from the code in JetspeedEngine.java. 
> Otherwise it is recommendable to check the request parameter against the values of the
"pipeline-map". I will attach a patch for this solution.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message