You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Patrick Antivackis (JIRA)" <ji...@apache.org> on 2009/11/24 23:04:39 UTC
[jira] Created: (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
Security concern in the way to populate parameters map in the context
---------------------------------------------------------------------
Key: OFBIZ-3257
URL: https://issues.apache.org/jira/browse/OFBIZ-3257
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk
Reporter: Patrick Antivackis
In the parameters map available in the context, get or post parameters can override session and application attributes.
The way to create the parameters map is the following in UtilHttp.getCombinedMap :
combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
combinedMap.putAll(getParameterMap(request)); // parameters override session
combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
I understand that session can override application attributes, but I dont understand why Parameters can override them.
For example if you try the following :
https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
I propose to do the following instead :
combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
What do you think ?
[from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782992#action_12782992 ]
Jacques Le Roux commented on OFBIZ-3257:
----------------------------------------
So +1 for me too
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
Posted by "Patrick Antivackis (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12783053#action_12783053 ]
Patrick Antivackis commented on OFBIZ-3257:
-------------------------------------------
Also parameters is the only way, that I am aware of, to easily get access of web.xml attributes in the screen context.
Meaning that if you have an application that populate a "ownerParty" in the context through a screen.xml, based on a web.xml attribute, something like :
<action>
<entity-one value-field="ownerParty" entity-name="Party" auto-field-map="false"><field-map field-name="partyId" from-field="parameters.ownerPartyId"/></entity-one>
</action>
with ownerPartyId coming from the web.xml
So if request params override servlet context params, we can not rely on the previous action.
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
Posted by "Jacques Le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782983#action_12782983 ]
Jacques Le Roux commented on OFBIZ-3257:
----------------------------------------
What propose Patrick looks sound to me. But would this not have side-effects? I mean, is parameters overidding application and session never used (even if I agree it's not secure)?
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782985#action_12782985 ]
David E. Jones commented on OFBIZ-3257:
---------------------------------------
It could have side-effects, but nowhere that I'm aware of. Most places rely on request attributes overriding request parameters, but I don't think anything relies on request parameters overriding session attributes or application/ServletContext attributes. It doesn't seem like a logical thing to do actually, so I don't think we'll find it done anywhere.
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782957#action_12782957 ]
David E. Jones commented on OFBIZ-3257:
---------------------------------------
My first thought was to make sure all code sensitive to things like this just doesn't use the parameters Maps that are around so much. Like the mainDecoratorLocation probably just should use that.
On the other hand it's an interesting idea to allow any of the "internal" attributes to override the URL parameters. That changes the semantics a little bit, but may actually a really useful change. I've mulled this over a bit now and I can't think of any major issues with it, so I like it as a solution.
If no one complains or comes up with a deal killer issue, I'd say we go for it.
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (OFBIZ-3257) Security concern in the way to populate
parameters map in the context
Posted by "David E. Jones (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David E. Jones closed OFBIZ-3257.
---------------------------------
Resolution: Fixed
Fix Version/s: SVN trunk
Assignee: David E. Jones
Thanks for the idea Patrick. I've made this little change in the trunk in SVN rev 890831.
For now I'm planning to not change this in the release branches.
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
> Assignee: David E. Jones
> Fix For: SVN trunk
>
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.