[jira] Closed: (OFBIZ-3257) Security concern in the way to populate parameters map in the context

[David E. Jones (JIRA)]

     [ 
https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

David E. Jones closed OFBIZ-3257.
---------------------------------

       Resolution: Fixed
    Fix Version/s: SVN trunk
         Assignee: David E. Jones

Thanks for the idea Patrick. I've made this little change in the trunk in SVN 
rev 890831.

For now I'm planning to not change this in the release branches.

> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
>                 Key: OFBIZ-3257
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3257
>             Project: OFBiz
>          Issue Type: Bug
>          Components: framework
>    Affects Versions: SVN trunk
>            Reporter: Patrick Antivackis
>            Assignee: David E. Jones
>             Fix For: SVN trunk
>
>
> In the parameters map available in the context, get or post parameters can 
> override session and application attributes.
> The way to create the parameters map is the following in 
> UtilHttp.getCombinedMap :
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // 
> bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // 
> session overrides application
>         combinedMap.putAll(getParameterMap(request));                   // 
> parameters override session
>         combinedMap.putAll(getAttributeMap(request));                   // 
> attributes trump them all
> I understand that session can override application attributes, but I dont 
> understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration 
> parameters you are putting in the web.xml, they can be overriden by get or 
> post parameters.
> I propose to do the following instead :
>         combinedMap.putAll(getParameterMap(request));                   // 
> parameters shouldn't override anything
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // 
> bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // 
> session overrides application
>         combinedMap.putAll(getAttributeMap(request));                   // 
> attributes trump them all
> What do you think ?
> [from the dev list : 
> http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.