You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@activemq.apache.org by "Hiram Chirino (JIRA)" <ji...@apache.org> on 2012/08/27 16:46:08 UTC

[jira] [Updated] (APLO-250) add_user_header should prevent forging

     [ https://issues.apache.org/jira/browse/APLO-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Hiram Chirino updated APLO-250:
-------------------------------

      Component/s: apollo-stomp
    Fix Version/s: 1.5
         Assignee: Hiram Chirino
    
> add_user_header should prevent forging
> --------------------------------------
>
>                 Key: APLO-250
>                 URL: https://issues.apache.org/jira/browse/APLO-250
>             Project: ActiveMQ Apollo
>          Issue Type: Improvement
>          Components: apollo-stomp
>         Environment: apollo-99-trunk-20120827.123709-100
>            Reporter: Lionel Cons
>            Assignee: Hiram Chirino
>             Fix For: 1.5
>
>
> add_user_header currently adds or overwrites the specified header if the corresponding principal exists. If the principal is not present, it does nothing.
> This opens for forgeries since the sent message may contain a header with the same name and, if the principal is missing, Apollo will leave it there. By examining the message, there is no way to know if the header has been set by the sender or by Apollo.
> IMHO it would be safer for Apollo to remove the header in case the corresponding principal is not present.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira