[
https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12783053#action_12783053
]
Patrick Antivackis commented on OFBIZ-3257:
-------------------------------------------
Also parameters is the only way, that I am aware of, to easily get access of
web.xml attributes in the screen context.
Meaning that if you have an application that populate a "ownerParty" in the
context through a screen.xml, based on a web.xml attribute, something like :
<action>
<entity-one value-field="ownerParty" entity-name="Party"
auto-field-map="false"><field-map field-name="partyId"
from-field="parameters.ownerPartyId"/></entity-one>
</action>
with ownerPartyId coming from the web.xml
So if request params override servlet context params, we can not rely on the
previous action.
> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
> Key: OFBIZ-3257
> URL: https://issues.apache.org/jira/browse/OFBIZ-3257
> Project: OFBiz
> Issue Type: Bug
> Components: framework
> Affects Versions: SVN trunk
> Reporter: Patrick Antivackis
>
> In the parameters map available in the context, get or post parameters can
> override session and application attributes.
> The way to create the parameters map is the following in
> UtilHttp.getCombinedMap :
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
> bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); //
> session overrides application
> combinedMap.putAll(getParameterMap(request)); //
> parameters override session
> combinedMap.putAll(getAttributeMap(request)); //
> attributes trump them all
> I understand that session can override application attributes, but I dont
> understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration
> parameters you are putting in the web.xml, they can be overriden by get or
> post parameters.
> I propose to do the following instead :
> combinedMap.putAll(getParameterMap(request)); //
> parameters shouldn't override anything
> combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
> bottom level application attributes
> combinedMap.putAll(getSessionMap(request, namesToSkip)); //
> session overrides application
> combinedMap.putAll(getAttributeMap(request)); //
> attributes trump them all
> What do you think ?
> [from the dev list :
> http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
