You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "David Sean Taylor (JIRA)" <je...@portals.apache.org> on 2008/10/27 17:32:44 UTC
[jira] Resolved: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Sean Taylor resolved JS2-914.
-----------------------------------
Resolution: Fixed
I decided to completely remove request parameter support. Joachim, please review. I hope my modified fix is acceptable for your needs
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Assignee: David Sean Taylor
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org