You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2015/11/29 14:26:10 UTC
[jira] [Updated] (OFBIZ-3257) Security concern in the way to
populate parameters map in the context
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-3257:
-----------------------------------
Issue Type: Sub-task (was: Bug)
Parent: OFBIZ-1525
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk
> Reporter: Patrick Antivackis
> Assignee: David E. Jones
> Fix For: Trunk
>
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getParameterMap(request)); // parameters override session
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
> combinedMap.putAll(getAttributeMap(request)); // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)