Jetspeed 2
  1. Jetspeed 2
  2. JS2-914

Possible security issue because pipline can be set by the "pipeline" request parameter.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
    • Fix Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
    • Component/s: None
    • Labels:
      None

      Description

      The pipeline to use can be set in several ways:

      • Path
      • request attribute
      • request parameter via "pipeline" parameter in the URL

      Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.

      If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.

      Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.

      1. patch.JS2-914.diff
        1 kB
        Joachim Müller

        Activity

        No work has yet been logged on this issue.

          People

          • Assignee:
            David Sean Taylor
            Reporter:
            Joachim Müller
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development