portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Sean Taylor <dtay...@onehippo.com>
Subject Re: Security Issue: pipeline can be set via request parameter
Date Tue, 21 Oct 2008 16:36:20 GMT
On Oct 21, 2008, at 5:06 AM, Joachim Müller wrote:

> Hi.
>
> I found a possible security related issue. In JetspeedEngine.service()
> the pipeline can be set via several options:
>
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
>
> The option "path" is checked against the "pipeline-map" defined in
> pipeline.xml, but the other options are not. Especially the option
> "request parameter" can produce be a security issue, because all  
> defined
> pipelines can be triggered!!!

> I currently have a patch available to check the option "request
> parameter" also against the "pipeline-map". Before creating an JIRA
> issue I have some questions:
>
> 1.) Is the option "request parameter" still used anywhere? My quick
> check turned out that is is not.
>
No, it is not.

> 2.) Does the proposed patch influences any functionality?
>

Send the patch, its not clear to me what you will do, and I 'd like to  
see it before commenting


---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message