[SHINDIG-1945] OAuth authorize.jsp handles form submission results incorrectly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.5.0-update1
Fix Version/s: 2.5.1
Component/s: Java
Labels:
None

Description

Found while reading through the sources: authorize.jsp is used for presenting a user with a dialog whether he wants to authorize an OAuth client for accessing his content.

The dialog form contains two 'submit' buttons, both named 'Authorize', one giving the value 'Authorize', the other giving the value 'Deny'.

The JSP however doesn't check for the specific value, but instead checks whether the request contains any value for either the 'Authorize' or 'Deny' parameter. There is no input named 'Deny', and the 'Authorize' parameter will be set to non-null for both 'Authorize' and 'Deny' answers of the user.

See attached patch.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SHINDIG-xxxx-oauth-authorize.jsp-broken.diff
23/Oct/13 09:44
1 kB
Andreas Kohn

Activity

People

Assignee:: Unassigned

Reporter:: Andreas Kohn

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 23/Oct/13 09:43

Updated:: 13/Nov/13 00:47

Resolved:: 13/Nov/13 00:47