[
https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782957#action_12782957
]
David E. Jones commented on OFBIZ-3257:
---------------------------------------
My first thought was to make sure all code sensitive to things like this just
doesn't use the parameters Maps that are around so much. Like the
mainDecoratorLocation probably just should use that.
On the other hand it's an interesting idea to allow any of the "internal"
attributes to override the URL parameters. That changes the semantics a little
bit, but may actually a really useful change. I've mulled this over a bit now
and I can't think of any major issues with it, so I like it as a solution.
If no one complains or comes up with a deal killer issue, I'd say we go for it.
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can
> override session and application attributes.
> The way to create the parameters map is the following in
> UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
> bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); //
> session overrides application
> combinedMap.putAll(getParameterMap(request)); //
> parameters override session
> combinedMap.putAll(getAttributeMap(request)); //
> attributes trump them all
> I understand that session can override application attributes, but I dont
> understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration
> parameters you are putting in the web.xml, they can be overriden by get or
> post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); //
> parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
> bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); //
> session overrides application
> combinedMap.putAll(getAttributeMap(request)); //
> attributes trump them all
> What do you think ?
> [from the dev list :
> http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
