[JS2-914] Possible security issue because pipline can be set by the "pipeline" request parameter. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
Fix Version/s: 2.1.2, 2.1.3, 2.2.0, 2.2.1
Component/s: None
Labels:
None

Description

The pipeline to use can be set in several ways:

Path
request attribute
request parameter via "pipeline" parameter in the URL

Especially the definition via the request parameter can be a security issue, because this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.

If pipeline definition via the request parameter is not used anymore it should be removed from the code in JetspeedEngine.java.

Otherwise it is recommendable to check the request parameter against the values of the "pipeline-map". I will attach a patch for this solution.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

patch.JS2-914.diff
22/Oct/08 08:36
1 kB
Joachim Müller

Activity

People

Assignee:: David Sean Taylor

Reporter:: Joachim Müller

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 22/Oct/08 08:33

Updated:: 27/Oct/08 17:47

Resolved:: 27/Oct/08 16:31