You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@shindig.apache.org by "Ryan Baxter (JIRA)" <ji...@apache.org> on 2015/03/16 20:43:39 UTC

[jira] [Deleted] (SHINDIG-1879) security issue with gadgets.io.proxiedMultipartFormPost

     [ https://issues.apache.org/jira/browse/SHINDIG-1879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ryan Baxter deleted SHINDIG-1879:
---------------------------------


> security issue with gadgets.io.proxiedMultipartFormPost
> -------------------------------------------------------
>
>                 Key: SHINDIG-1879
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1879
>             Project: Shindig
>          Issue Type: Bug
>            Reporter: Marshall Shi
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> The file upload API provided by gadgets.io.proxiedMultipartFormPost exposes a security risk. 
> var query = {
>     'MPFP': 1, // This will force an alternate route in the makeRequest proxy endpoint
>     'url': url,
>     'httpMethod': 'POST',
>     'headers': gadgets.io.encodeValues(headers, false),
>     'authz': auth || '',
>     'st': st,
>     'contentType': params['CONTENT_TYPE'] || 'TEXT',
>     'signOwner': signOwner,
>     'signViewer': signViewer,
>     // should we bypass gadget spec cache (e.g. to read OAuth provider URLs)
>     'bypassSpecCache': gadgets.util.getUrlParameters()['nocache'] || '',
>     'getFullHeaders': !!params['GET_FULL_HEADERS']
>  };
> ...
>  var proxyUrl = config['jsonProxyUrl'].replace('%host%', document.location.host) + '?' + gadgets.io.encodeValues(query);
> Sensitive info like security token will be added in the proxy url. If an attacker can view HTTP server or intermediate proxy logs or access a user's browser history, they are provided with the current values of these tokens for that user.
> The proposed fix is to create a hidden field in the form user wants to post, the value of the hidden field will be the query string in JSON format. Once the form is submitted, the hidden filed will be removed. In Shindig server, process the stream of the multipart form and extract the hidden field value for the rest of the request processing. A new stream with the original multipart form data will be sent to remote server.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)