The pipeline to use can be set in several ways:
- request attribute
- request parameter via "pipeline" parameter in the URL
Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.
Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.