ws-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colm O hEigeartaigh (Closed) (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (WSS-70) WSHandler checkReceiverResults causes security problem
Date Mon, 03 Oct 2011 09:04:41 GMT

     [ https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Colm O hEigeartaigh closed WSS-70.
----------------------------------

    
> WSHandler checkReceiverResults causes security problem
> ------------------------------------------------------
>
>                 Key: WSS-70
>                 URL: https://issues.apache.org/jira/browse/WSS-70
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: G├╝rkan Vural
>            Assignee: Fred Dushin
>            Priority: Critical
>             Fix For: 1.5.4
>
>         Attachments: wss4j_actions.patch
>
>
> In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security actions
> which also checks the size of actions. However this part is moved in
> WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
> action size check is commented out. However the checking for loop is
> controled against the size of actions received in the SOAP message. This
> cause a security problem when an empty security header is sent. It omits
> the for loop and throws no exception!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


Mime
View raw message