You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org> on 2011/10/03 11:04:41 UTC
[jira] [Closed] (WSS-70) WSHandler checkReceiverResults causes
security problem
[ https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed WSS-70.
----------------------------------
> WSHandler checkReceiverResults causes security problem
> ------------------------------------------------------
>
> Key: WSS-70
> URL: https://issues.apache.org/jira/browse/WSS-70
> Project: WSS4J
> Issue Type: Bug
> Reporter: Gürkan Vural
> Assignee: Fred Dushin
> Priority: Critical
> Fix For: 1.5.4
>
> Attachments: wss4j_actions.patch
>
>
> In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security actions
> which also checks the size of actions. However this part is moved in
> WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
> action size check is commented out. However the checking for loop is
> controled against the size of actions received in the SOAP message. This
> cause a security problem when an empty security header is sent. It omits
> the for loop and throws no exception!
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org