You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "David E. Jones (JIRA)" <ji...@apache.org> on 2009/12/15 16:42:18 UTC

[jira] Closed: (OFBIZ-3257) Security concern in the way to populate parameters map in the context

     [ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

David E. Jones closed OFBIZ-3257.
---------------------------------

       Resolution: Fixed
    Fix Version/s: SVN trunk
         Assignee: David E. Jones

Thanks for the idea Patrick. I've made this little change in the trunk in SVN rev 890831.

For now I'm planning to not change this in the release branches.

> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
>                 Key: OFBIZ-3257
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3257
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Patrick Antivackis
>            Assignee: David E. Jones
>             Fix For: SVN trunk
>
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // session overrides application
>         combinedMap.putAll(getParameterMap(request));                   // parameters override session
>         combinedMap.putAll(getAttributeMap(request));                   // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
>         combinedMap.putAll(getParameterMap(request));                   // parameters shouldn't override anything
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // session overrides application
>         combinedMap.putAll(getAttributeMap(request));                   // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.