[jira] [Commented] (OFBIZ-5409) JSON Response does not set http status on error

Mon, 06 Jan 2014 13:20:14 -0800 

    [ 
https://issues.apache.org/jira/browse/OFBIZ-5409?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13863431#comment-13863431
 ] 

Jacques Le Roux commented on OFBIZ-5409:
----------------------------------------

While creating a new patch, I stumbled upon this 
https://stackoverflow.com/questions/2669690/why-does-google-prepend-while1-to-their-json-responses?
  
I checked and found this serious article and comments 
http://haacked.com/archive/2009/06/25/json-hijacking.aspx/
I also found a neat solution (with a ",," typo in js source) at 
http://blackbe.lt/safely-handling-json-hijacking-prevention-methods-with-jquery/

Then I checked our JSON calls and they are all using "POST" (the only Ajax 
"GET" calls are not JSON calls). So we have no current vulnerabilites.

Despites this reassuring situation, I think we should add a security like the 
one used by Google (I prefer the "//" prefix, less disturbing) and use the 
datafilter checking js script.

So I have created 2 patches for review:
* "OFBIZ-5409 - Remove internal attributes for security reason.patch" contains 
only and update of the changes proposed by Gareth but I commented the check on 
"_ERROR_MESSAGE_" part (should not be commited IMO)
* "OFBIZ-5409 - Remove internal attributes for security reason and secure json 
get.patch" the same, with the datafilter checking js script added.

> JSON Response does not set http status on error
> -----------------------------------------------
>
>                 Key: OFBIZ-5409
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-5409
>             Project: OFBiz
>          Issue Type: Bug
>          Components: ALL APPLICATIONS
>    Affects Versions: Release Branch 11.04, SVN trunk, Release Branch 12.04, 
> Release Branch 13.07
>            Reporter: Gareth Carter
>            Assignee: Jacques Le Roux
>         Attachments: CommonEvents.patch, OFBIZ-5409 - Remove internal 
> attributes for security reason and secure json get.patch, OFBIZ-5409 - Remove 
> internal attributes for security reason.patch, OFBIZ-5409 - Remove internal 
> attributes for security reason.patch, before-after.diff
>
>
> When a json response is sent and there was an error in the service called, it 
> does not set the http status. Currently status code is always 200 but it 
> might be more appropriate to send an error code such as 500.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to