portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Sean Taylor (JIRA)" <jetspeed-...@portals.apache.org>
Subject [jira] Assigned: (JS2-914) Possible security issue because pipline can be set by the "pipeline" request parameter.
Date Fri, 24 Oct 2008 23:55:46 GMT

     [ https://issues.apache.org/jira/browse/JS2-914?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

David Sean Taylor reassigned JS2-914:

    Assignee: David Sean Taylor

> Possible security issue because pipline can be set by the "pipeline" request parameter.
> ---------------------------------------------------------------------------------------
>                 Key: JS2-914
>                 URL: https://issues.apache.org/jira/browse/JS2-914
>             Project: Jetspeed 2
>          Issue Type: Bug
>    Affects Versions: 2.1.2, 2.1.3, 2.2, 2.3
>            Reporter: Joachim Müller
>            Assignee: David Sean Taylor
>             Fix For: 2.1.2, 2.1.3, 2.2, 2.3
>         Attachments: patch.JS2-914.diff
> The pipeline to use can be set in several ways:
> - Path
> - request attribute
> - request parameter via "pipeline" parameter in the URL 
> Especially the definition via the request parameter can be a security issue, because
this parameter is not checked against the "pipeline-map" defined in pipeline.xml. Thus every
defined pipeline in pipeline.xml can be triggered by setting the pipeline request parameter.
> If pipeline definition via the request parameter is not used anymore it should be removed
from the code in JetspeedEngine.java. 
> Otherwise it is recommendable to check the request parameter against the values of the
"pipeline-map". I will attach a patch for this solution.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org

View raw message