You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Colm O hEigeartaigh (Closed) (JIRA)" <ji...@apache.org> on 2011/10/03 11:04:41 UTC

[jira] [Closed] (WSS-70) WSHandler checkReceiverResults causes security problem

     [ https://issues.apache.org/jira/browse/WSS-70?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh closed WSS-70.
----------------------------------

    
> WSHandler checkReceiverResults causes security problem
> ------------------------------------------------------
>
>                 Key: WSS-70
>                 URL: https://issues.apache.org/jira/browse/WSS-70
>             Project: WSS4J
>          Issue Type: Bug
>            Reporter: Gürkan Vural
>            Assignee: Fred Dushin
>            Priority: Critical
>             Fix For: 1.5.4
>
>         Attachments: wss4j_actions.patch
>
>
> In WSS4J 1.1.0 in WSDoAllReceiver there is a check of security actions
> which also checks the size of actions. However this part is moved in
> WSS4J 1.5 to WSHandler.java using checkReceiverResults function and
> action size check is commented out. However the checking for loop is
> controled against the size of actions received in the SOAP message. This
> cause a security problem when an empty security header is sent. It omits
> the for loop and throws no exception!

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org