roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Greg Huber (JIRA)" <j...@apache.org>
Subject [jira] [Assigned] (ROL-1956) ValidateSaltFilter not working on file upload
Date Sun, 12 Jan 2014 10:55:51 GMT

     [ https://issues.apache.org/jira/browse/ROL-1956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Greg Huber reassigned ROL-1956:
-------------------------------

    Assignee: Greg Huber  (was: Roller Unassigned)

> ValidateSaltFilter not working on file upload
> ---------------------------------------------
>
>                 Key: ROL-1956
>                 URL: https://issues.apache.org/jira/browse/ROL-1956
>             Project: Apache Roller
>          Issue Type: Bug
>    Affects Versions: 5.1
>         Environment: java version "1.7.0_03"
> OpenJDK Runtime Environment (IcedTea7 2.1.3) (7u3-2.1.3-1)
> OpenJDK 64-Bit Server VM (build 22.0-b10, mixed mode)
> tomcat7                               7.0.28-3+nmu1
>            Reporter: Matthias Wimmer
>            Assignee: Greg Huber
>
> When I try to upload a media file to roller, I get a Sercurity Violation thrown in org.apache.roller.weblogger.ui.core.filters.ValidateSaltFilter
> Debugging the problem I can see, that the salt is sent in the HTTP POST request to http://example.com/roller-ui/authoring/mediaFileAdd!save.rol
- but the call to (String) httpReq.getParameter("salt") in ValidateSaltFilter.doFilter does
return null.
> I guess that this is what http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html
describes for the getParameter() method when it talks about the following:
> If the parameter data was sent in the request body, such as occurs with an HTTP POST
request, then reading the body directly via getInputStream() or getReader() can interfere
with the execution of this method.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message