[jira] [Commented] (ROL-1992) Blogroll OPML import page raising 500 Security Error

Sat, 15 Mar 2014 17:17:24 -0700 

    [ 
https://issues.apache.org/jira/browse/ROL-1992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13936349#comment-13936349
 ] 

Glen Mazza commented on ROL-1992:
---------------------------------

Appears to be the same problem in ROL-1956 -- this a multipart/form-data JSP 
and for some reason the Salt values aren't being sent as a result.  The error 
message from the Tomcat localhost*.log is as follows:

SEVERE: Servlet.service() for servlet [default] in context with path [/roller] 
threw exception [Security Violation] with root cause
javax.servlet.ServletException: Security Violation
        at 
org.apache.roller.weblogger.ui.core.filters.ValidateSaltFilter.doFilter(ValidateSaltFilter.java:57)
        at 
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
        at 
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
        at 
org.apache.roller.weblogger.ui.core.filters.LoadSaltFilter.doFilter(LoadSaltFilter.java:47)

Code in question in ValidateSaltFilter:
        // TODO multipart/form-data does not send parameters
        if (httpReq.getMethod().equals("POST") &&
                !isIgnoredURL(((HttpServletRequest) request).getServletPath())) 
{
            String salt = httpReq.getParameter("salt");
            SaltCache saltCache = SaltCache.getInstance();
            if (salt == null || saltCache.get(salt) == null
                    || saltCache.get(salt).equals(false)) {
                throw new ServletException("Security Violation");
            }
        }


> Blogroll OPML import page raising 500 Security Error
> ----------------------------------------------------
>
>                 Key: ROL-1992
>                 URL: https://issues.apache.org/jira/browse/ROL-1992
>             Project: Apache Roller
>          Issue Type: Bug
>          Components: User Interface - General
>    Affects Versions: 5.1
>            Reporter: Glen Mazza
>            Assignee: Roller Unassigned
>
> For some reason, the Bookmark OPML import page continually raises a 500 
> security violation error whether I select "import" or even "cancel".  The 
> other two options on the blogroll page, "Add New Folder" and "Add new 
> bookmark", their cancel buttons work fine.  Unsure what the problem is.  The 
> security.xml doesn't seem to be treating the OPML page any different from the 
> other two; one difference however is that BookmarksImport.jsp's s:form 
> element has method="POST" & enctype="multipart/form-data" attributes while 
> the other two omit that.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to