roller-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kohei Nozaki (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ROL-2058) No salt renewal on POST request
Date Sat, 10 Jan 2015 23:40:34 GMT

     [ https://issues.apache.org/jira/browse/ROL-2058?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Kohei Nozaki updated ROL-2058:
------------------------------
    Attachment: ROL-2058.patch

> No salt renewal on POST request
> -------------------------------
>
>                 Key: ROL-2058
>                 URL: https://issues.apache.org/jira/browse/ROL-2058
>             Project: Apache Roller
>          Issue Type: Bug
>          Components: User Interface - General
>    Affects Versions: 5.1.1
>         Environment: WildFly 8.2.0.Final
>            Reporter: Kohei Nozaki
>            Assignee: Roller Unassigned
>         Attachments: ROL-2058.patch
>
>
> Roller continues using previous salt value which sent from client as POST parameter.
this leads fixing of salt value in the form element of html, and brings ServletException("Security
Violation") by ValidateSaltFilter at some use cases (e.g. long-term editing over 60 minutes)
unexpectedly.
> Seems to that the cause is existence of org.apache.roller.weblogger.ui.struts2.util.UIAction#setSalt(String)
method. this overwrites salt with previous value which sent by client as POST parameter. it's
unnecessary behavior because new salt value comes through preceding invocation of UIAction#setRequest(Map).
> Original discussion in the mailing list:
> http://markmail.org/search/?q=list%3Aorg.apache.roller.user#query:list%3Aorg.apache.roller.user+page:1+mid:tnqn4qjuwmwun4oh+state:results



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message