Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-3257

Security concern in the way to populate parameters map in the context

    XMLWordPrintableJSON

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: Trunk
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      In the parameters map available in the context, get or post parameters can override session and application attributes.
      The way to create the parameters map is the following in UtilHttp.getCombinedMap :

      combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
      combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
      combinedMap.putAll(getParameterMap(request)); // parameters override session
      combinedMap.putAll(getAttributeMap(request)); // attributes trump them all

      I understand that session can override application attributes, but I dont understand why Parameters can override them.

      For example if you try the following :
      https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml

      You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters.

      I propose to do the following instead :

      combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything
      combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes
      combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application
      combinedMap.putAll(getAttributeMap(request)); // attributes trump them all

      What do you think ?

      [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]

        Attachments

          Activity

            People

            • Assignee:
              jonesde David E. Jones
              Reporter:
              patrick.antivackis Patrick Antivackis
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: