[APLO-250] add_user_header should prevent forging - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.5
Component/s: apollo-stomp
Labels:
None
Environment:
apollo-99-trunk-20120827.123709-100

Description

add_user_header currently adds or overwrites the specified header if the corresponding principal exists. If the principal is not present, it does nothing.

This opens for forgeries since the sent message may contain a header with the same name and, if the principal is missing, Apollo will leave it there. By examining the message, there is no way to know if the header has been set by the sender or by Apollo.

IMHO it would be safer for Apollo to remove the header in case the corresponding principal is not present.

Attachments

Activity

People

Assignee:: Hiram R. Chirino

Reporter:: Lionel Cons

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Aug/12 13:47

Updated:: 27/Aug/12 14:46

Resolved:: 27/Aug/12 14:46