[
https://issues.apache.org/jira/browse/APLO-250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Hiram Chirino resolved APLO-250.
--------------------------------
Resolution: Fixed
The header will now always be updated to avoid forging. Fix is the following
build:
https://builds.apache.org/job/ActiveMQ-Apollo-Deploy/291/console
> add_user_header should prevent forging
> --------------------------------------
>
> Key: APLO-250
> URL: https://issues.apache.org/jira/browse/APLO-250
> Project: ActiveMQ Apollo
> Issue Type: Improvement
> Components: apollo-stomp
> Environment: apollo-99-trunk-20120827.123709-100
> Reporter: Lionel Cons
> Assignee: Hiram Chirino
> Fix For: 1.5
>
>
> add_user_header currently adds or overwrites the specified header if the
> corresponding principal exists. If the principal is not present, it does
> nothing.
> This opens for forgeries since the sent message may contain a header with the
> same name and, if the principal is missing, Apollo will leave it there. By
> examining the message, there is no way to know if the header has been set by
> the sender or by Apollo.
> IMHO it would be safer for Apollo to remove the header in case the
> corresponding principal is not present.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
