You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/09/09 07:34:00 UTC

[jira] [Commented] (QPID-8600) [Broker-J] File path validation in management-http plugin

    [ https://issues.apache.org/jira/browse/QPID-8600?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17602177#comment-17602177 ] 

ASF GitHub Bot commented on QPID-8600:
--------------------------------------

dakirily opened a new pull request, #140:
URL: https://github.com/apache/qpid-broker-j/pull/140

   This PR addresses [QPID-8600](https://issues.apache.org/jira/browse/QPID-8600) improving file path validation in http-management-plugin




> [Broker-J] File path validation in management-http plugin
> ---------------------------------------------------------
>
>                 Key: QPID-8600
>                 URL: https://issues.apache.org/jira/browse/QPID-8600
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>    Affects Versions: qpid-java-broker-8.0.6
>            Reporter: Daniil Kirilyuk
>            Priority: Minor
>
> HTTP management plugin initiates a network connection in classes FileServlet to a third-party system using user-controlled data for resource URI. This vulnerability may be leveraged to send a request on behalf of the web server since the request will originate from the web server's internal IP address.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org