You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2015/12/15 17:11:46 UTC
[jira] [Updated] (KARAF-4208) Poor Error Handling: Empty Catch
Block
[ https://issues.apache.org/jira/browse/KARAF-4208?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré updated KARAF-4208:
----------------------------------------
Description:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis of the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which could cause the program to overlook unexpected states and conditions. In this case an authentication has failed and the attempt to respond to the client and let them know has also failed. The comment indicates that nothing can be done about the problem but the issue should be logged for further investigation or forensics purposes.
File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215
JaasSecurityProvider.java, lines 207-218:
{code}
207 // request authentication
208 try
209 {
210 response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212 response.setContentLength( 0 );
213 response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217 // failed sending the response ... cannot do anything about it
218 }
{code}
was:
HP Fortify SCA and SciTools Understand were used to perform an application security analysis of the karaf source code.
The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which could cause the program to overlook unexpected states and conditions. In this case an authentication has failed and the attempt to respond to the client and let them know has also failed. The comment indicates that nothing can be done about the problem but the issue should be logged for further investigation or forensics purposes.
File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
Line: 215
JaasSecurityProvider.java, lines 207-218:
207 // request authentication
208 try
209 {
210 response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
212 response.setContentLength( 0 );
213 response.flushBuffer();
214 }
215 catch ( IOException ioe )
216 {
217 // failed sending the response ... cannot do anything about it
218 }
> Poor Error Handling: Empty Catch Block
> --------------------------------------
>
> Key: KARAF-4208
> URL: https://issues.apache.org/jira/browse/KARAF-4208
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
>
> HP Fortify SCA and SciTools Understand were used to perform an application security analysis of the karaf source code.
> The method authenticate() in JaasSecurityProvider.java ignores an exception on line 215, which could cause the program to overlook unexpected states and conditions. In this case an authentication has failed and the attempt to respond to the client and let them know has also failed. The comment indicates that nothing can be done about the problem but the issue should be logged for further investigation or forensics purposes.
> File: webconsole/console/src/main/java/org/apache/felix/webconsole/internal/servlet/JaasSecurityProvider.java
> Line: 215
> JaasSecurityProvider.java, lines 207-218:
> {code}
> 207 // request authentication
> 208 try
> 209 {
> 210 response.setHeader( HEADER_WWW_AUTHENTICATE, AUTHENTICATION_SCHEME_BASIC + " realm=\"" + this.realm + "\"" );
> 211 response.setStatus( HttpServletResponse.SC_UNAUTHORIZED );
> 212 response.setContentLength( 0 );
> 213 response.flushBuffer();
> 214 }
> 215 catch ( IOException ioe )
> 216 {
> 217 // failed sending the response ... cannot do anything about it
> 218 }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)