Uploaded image for project: 'Apache Roller'
  1. Apache Roller
  2. ROL-1956

ValidateSaltFilter not working on file upload

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.1.0
    • Fix Version/s: 5.1.0
    • Component/s: None
    • Labels:
      None
    • Environment:
      java version "1.7.0_03"
      OpenJDK Runtime Environment (IcedTea7 2.1.3) (7u3-2.1.3-1)
      OpenJDK 64-Bit Server VM (build 22.0-b10, mixed mode)

      tomcat7 7.0.28-3+nmu1
    • Browser Version:
      Testet with Firefox and Chrome
    • JDK Version:
      1.7.0_03
    • O/S Version:
      Debian GNU/Linux testing

      Description

      When I try to upload a media file to roller, I get a Sercurity Violation thrown in org.apache.roller.weblogger.ui.core.filters.ValidateSaltFilter

      Debugging the problem I can see, that the salt is sent in the HTTP POST request to http://example.com/roller-ui/authoring/mediaFileAdd!save.rol - but the call to (String) httpReq.getParameter("salt") in ValidateSaltFilter.doFilter does return null.

      I guess that this is what http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html describes for the getParameter() method when it talks about the following:

      If the parameter data was sent in the request body, such as occurs with an HTTP POST request, then reading the body directly via getInputStream() or getReader() can interfere with the execution of this method.

        Attachments

          Activity

            People

            • Assignee:
              ghuber Greg Huber
              Reporter:
              mawis Matthias Wimmer
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: