![]() |
|
|
|
|
Change By:
|
Cheng Hu
(04/Nov/14 5:23 AM)
|
|
Description:
|
In {{DefaultForumManager}}, line 549, we might write out user generated content to the log file, thus allowing log forging.
{code}
try {
final Content firstMessage = firstMsgProp.getReferencedContent();
final NodeData validatedProp = firstMessage.getNodeData(VALIDATED_PROPERTY);
return (!validatedProp.isExist() && showUnvalidatedMessages) || (validatedProp.isExist() && validatedProp.getBoolean());
} catch (RepositoryException e) {
log.error("Couldn't check if thread[" + content + "] could to be shown: " + e.getMessage(), e);
return false;
}
{code}
This is a bug reported in the Veracode report. It is under the category "Improper Output Neutralization for Logs (CWE ID 117)."
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <
[email protected]>
----------------------------------------------------------------
