You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by Joachim Müller <jo...@wemove.com> on 2008/10/21 14:06:22 UTC
Security Issue: pipeline can be set via request parameter
Hi.
I found a possible security related issue. In JetspeedEngine.service()
the pipeline can be set via several options:
- Path
- request attribute
- request parameter via "pipeline" parameter in the URL
The option "path" is checked against the "pipeline-map" defined in
pipeline.xml, but the other options are not. Especially the option
"request parameter" can produce be a security issue, because all defined
pipelines can be triggered!!!
I currently have a patch available to check the option "request
parameter" also against the "pipeline-map". Before creating an JIRA
issue I have some questions:
1.) Is the option "request parameter" still used anywhere? My quick
check turned out that is is not.
2.) Does the proposed patch influences any functionality?
The option "request attribute" for instance must not be checked against
the "pipeline-map" because the login process set the pipeline to a value
that is not part of the "pipeline-map". If the option "request
parameter" is used in the same way than the check against the
pipeline-map" is not possible.
Best regards,
Joachim Müller
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Security Issue: pipeline can be set via request parameter
Posted by Joachim Müller <jo...@wemove.com>.
Hi David.
I've attached a patch here
https://issues.apache.org/jira/browse/JS2-914
If the request parameter "pipeline" is not used anymore, maybe the best
solution is to remove the logic from JetspeedEngine.java
Best Regards!
Joachim
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
Re: Security Issue: pipeline can be set via request parameter
Posted by David Sean Taylor <dt...@onehippo.com>.
On Oct 21, 2008, at 5:06 AM, Joachim Müller wrote:
> Hi.
>
> I found a possible security related issue. In JetspeedEngine.service()
> the pipeline can be set via several options:
>
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
>
> The option "path" is checked against the "pipeline-map" defined in
> pipeline.xml, but the other options are not. Especially the option
> "request parameter" can produce be a security issue, because all
> defined
> pipelines can be triggered!!!
> I currently have a patch available to check the option "request
> parameter" also against the "pipeline-map". Before creating an JIRA
> issue I have some questions:
>
> 1.) Is the option "request parameter" still used anywhere? My quick
> check turned out that is is not.
>
No, it is not.
> 2.) Does the proposed patch influences any functionality?
>
Send the patch, its not clear to me what you will do, and I 'd like to
see it before commenting
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org