You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2015/11/29 14:26:10 UTC

[jira] [Updated] (OFBIZ-3257) Security concern in the way to populate parameters map in the context

     [ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jacques Le Roux updated OFBIZ-3257:
-----------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: OFBIZ-1525

> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
>                 Key: OFBIZ-3257
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3257
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Patrick Antivackis
>            Assignee: David E. Jones
>             Fix For: Trunk
>
>
> In the parameters map available in the context, get or post parameters can override session and application attributes.
> The way to create the parameters map is the following in UtilHttp.getCombinedMap :
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // session overrides application
>         combinedMap.putAll(getParameterMap(request));                   // parameters override session
>         combinedMap.putAll(getAttributeMap(request));                   // attributes trump them all
> I understand that session can override application attributes, but I dont understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.
> I propose to do the following instead :
>         combinedMap.putAll(getParameterMap(request));                   // parameters shouldn't override anything
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // session overrides application
>         combinedMap.putAll(getAttributeMap(request));                   // attributes trump them all
> What do you think ?
> [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)