You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by "Joachim Müller (JIRA)" <je...@portals.apache.org> on 2008/10/22 10:34:44 UTC
[jira] Created: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Possible security issue because pipline can be set by the "pipeline" request parameter.
---------------------------------------------------------------------------------------
Key: JS2-914
URL: https://issues.apache.org/jira/browse/JS2-914
Project: Jetspeed 2
Issue Type: Bug
Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
Reporter: Joachim Müller
Fix For: 2.1.2, 2.1.3, 2.2, 2.3
The pipeline to use can be set in several ways:
- Path
- request attribute
- request parameter via "pipeline" parameter in the URL
Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Posted by "David Sean Taylor (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12642973#action_12642973 ]
David Sean Taylor commented on JS2-914:
---------------------------------------
2.1.2 and 2.1.3 post releases were included in the same commit
http://svn.apache.org/viewvc?view=rev&revision=708231
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Assignee: David Sean Taylor
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Updated: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Posted by "Joachim Müller (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joachim Müller updated JS2-914:
-------------------------------
Attachment: patch.JS2-914.diff
Patch to check request parameter "pipeline" against the values of "pipeline-map" defined in assembly.
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Commented: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Posted by "Joachim Müller (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12642971#action_12642971 ]
Joachim Müller commented on JS2-914:
------------------------------------
I've reviewed the patch. It's perfect to drop this request parameter, since it is only used for "bad requests" :-). Thanks David.
Maybe we can commit this to the 2.1.3-POSTRELEASE branch as well?
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Assignee: David Sean Taylor
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Resolved: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Posted by "David Sean Taylor (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Sean Taylor resolved JS2-914.
-----------------------------------
Resolution: Fixed
I decided to completely remove request parameter support. Joachim, please review. I hope my modified fix is acceptable for your needs
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Assignee: David Sean Taylor
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Closed: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Posted by "Joachim Müller (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Joachim Müller closed JS2-914.
------------------------------
Sorry, my fault... typical monday blindness :-)
I am closing this issue. Thanks for patching!
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Assignee: David Sean Taylor
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org
[jira] Assigned: (JS2-914) Possible security issue because pipline
can be set by the "pipeline" request parameter.
Posted by "David Sean Taylor (JIRA)" <je...@portals.apache.org>.
[ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Sean Taylor reassigned JS2-914:
-------------------------------------
Assignee: David Sean Taylor
> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>
> Key: JS2-914
> URL: https://issues.apache.org/jira/browse/JS2-914
> Project: Jetspeed 2
> Issue Type: Bug
> Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
> Reporter: Joachim Müller
> Assignee: David Sean Taylor
> Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>
> Attachments: patch.JS2-914.diff
>
>
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL
> Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
> Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org