Jetspeed 2
  1. Jetspeed 2
  2. JS2-914

Possible security issue because pipline can be set by the "pipeline" request parameter.

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
    • Fix Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
    • Component/s: None
    • Labels:
      None

      Description

      The pipeline to use can be set in several ways:

      • Path
      • request attribute
      • request parameter via "pipeline" parameter in the URL

      Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.

      If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.

      Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.

      1. patch.JS2-914.diff
        1 kB
        Joachim Müller

        Activity

        Joachim Müller created issue -
        Hide
        Joachim Müller added a comment -

        Patch to check request parameter "pipeline" against the values of "pipeline-map" defined in assembly.

        Show
        Joachim Müller added a comment - Patch to check request parameter "pipeline" against the values of "pipeline-map" defined in assembly.
        Joachim Müller made changes -
        Field Original Value New Value
        Attachment patch.JS2-914.diff [ 12392632 ]
        David Sean Taylor made changes -
        Assignee David Sean Taylor [ taylor ]
        Hide
        David Sean Taylor added a comment -

        I decided to completely remove request parameter support. Joachim, please review. I hope my modified fix is acceptable for your needs

        Show
        David Sean Taylor added a comment - I decided to completely remove request parameter support. Joachim, please review. I hope my modified fix is acceptable for your needs
        David Sean Taylor made changes -
        Resolution Fixed [ 1 ]
        Status Open [ 1 ] Resolved [ 5 ]
        Hide
        Joachim Müller added a comment -

        I've reviewed the patch. It's perfect to drop this request parameter, since it is only used for "bad requests" . Thanks David.

        Maybe we can commit this to the 2.1.3-POSTRELEASE branch as well?

        Show
        Joachim Müller added a comment - I've reviewed the patch. It's perfect to drop this request parameter, since it is only used for "bad requests" . Thanks David. Maybe we can commit this to the 2.1.3-POSTRELEASE branch as well?
        Hide
        David Sean Taylor added a comment -

        2.1.2 and 2.1.3 post releases were included in the same commit

        http://svn.apache.org/viewvc?view=rev&revision=708231

        Show
        David Sean Taylor added a comment - 2.1.2 and 2.1.3 post releases were included in the same commit http://svn.apache.org/viewvc?view=rev&revision=708231
        Hide
        Joachim Müller added a comment -

        Sorry, my fault... typical monday blindness

        I am closing this issue. Thanks for patching!

        Show
        Joachim Müller added a comment - Sorry, my fault... typical monday blindness I am closing this issue. Thanks for patching!
        Joachim Müller made changes -
        Status Resolved [ 5 ] Closed [ 6 ]
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Resolved Resolved
        5d 7h 57m 1 David Sean Taylor 27/Oct/08 16:31
        Resolved Resolved Closed Closed
        1h 16m 1 Joachim Müller 27/Oct/08 17:47

          People

          • Assignee:
            David Sean Taylor
            Reporter:
            Joachim Müller
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development