Uploaded image for project: 'Jetspeed 2'
  1. Jetspeed 2
  2. JS2-914

Possible security issue because pipline can be set by the "pipeline" request parameter.

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
    • Fix Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
    • Component/s: None
    • Labels:
      None

      Description

      The pipeline to use can be set in several ways:

      • Path
      • request attribute
      • request parameter via "pipeline" parameter in the URL

      Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.

      If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.

      Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.

        Attachments

          Activity

            People

            • Assignee:
              taylor David Sean Taylor
              Reporter:
              joachim_mueller Joachim Müller
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: