[jira] Commented: (OFBIZ-3257) Security concern in the way to populate parameters map in the context

Thu, 26 Nov 2009 15:09:13 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782992#action_12782992
 ] 

Jacques Le Roux commented on OFBIZ-3257:
----------------------------------------

So +1 for me too

> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
>                 Key: OFBIZ-3257
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3257
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can 
> override session and application attributes.
> The way to create the parameters map is the following in 
> UtilHttp.getCombinedMap :
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // 
> bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // 
> session overrides application
>         combinedMap.putAll(getParameterMap(request));                   // 
> parameters override session
>         combinedMap.putAll(getAttributeMap(request));                   // 
> attributes trump them all
> I understand that session can override application attributes, but I dont 
> understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration 
> parameters you are putting in the web.xml, they can be overriden by get or 
> post parameters.
> I propose to do the following instead :
>         combinedMap.putAll(getParameterMap(request));                   // 
> parameters shouldn't override anything
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // 
> bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // 
> session overrides application
>         combinedMap.putAll(getAttributeMap(request));                   // 
> attributes trump them all
> What do you think ?
> [from the dev list : 
> http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to