[jira] [Updated] (OFBIZ-3257) Security concern in the way to populate parameters map in the context

Sun, 29 Nov 2015 05:26:51 -0800 

     [ 
https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jacques Le Roux updated OFBIZ-3257:
-----------------------------------
    Issue Type: Sub-task  (was: Bug)
        Parent: OFBIZ-1525

> Security concern in the way to populate parameters map in the context
> ---------------------------------------------------------------------
>
>                 Key: OFBIZ-3257
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-3257
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk
>            Reporter: Patrick Antivackis
>            Assignee: David E. Jones
>             Fix For: Trunk
>
>
> In the parameters map available in the context, get or post parameters can 
> override session and application attributes.
> The way to create the parameters map is the following in 
> UtilHttp.getCombinedMap :
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // 
> bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // 
> session overrides application
>         combinedMap.putAll(getParameterMap(request));                   // 
> parameters override session
>         combinedMap.putAll(getAttributeMap(request));                   // 
> attributes trump them all
> I understand that session can override application attributes, but I dont 
> understand why Parameters can override them.
> For example if you try the following :
> https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
> You will be surprised. This also mean, that whatever personal configuration 
> parameters you are putting in the web.xml, they can be overriden by get or 
> post parameters.
> I propose to do the following instead :
>         combinedMap.putAll(getParameterMap(request));                   // 
> parameters shouldn't override anything
>         combinedMap.putAll(getServletContextMap(request, namesToSkip)); // 
> bottom level application attributes
>         combinedMap.putAll(getSessionMap(request, namesToSkip));        // 
> session overrides application
>         combinedMap.putAll(getAttributeMap(request));                   // 
> attributes trump them all
> What do you think ?
> [from the dev list : 
> http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to