[Engine-patches] Change in ovirt-engine[master]: pki: remove usage of /ca.crt uri

Fri, 01 Nov 2013 07:15:04 -0700 

Alexander Wels has posted comments on this change.

Change subject: pki: remove usage of /ca.crt uri
......................................................................


Patch Set 1:

(2 comments)

....................................................
File 
backend/manager/modules/services/src/main/java/org/ovirt/engine/core/services/PKIResourceServlet.java
Line 46:     static {
Line 47:         EngineLocalConfig config = EngineLocalConfig.getInstance();
Line 48:         pkiResources = new HashMap<String, Details>();
Line 49:         pkiResources.put("ca-certificate", new 
Details(config.getPKICACert(), "X509-PEM-CA"));
Line 50:         pkiResources.put("engine-certificate", new 
Details(config.getPKIEngineCert(), "X509-PEM", "ovirt-engine"));
No the problem is in tests, we might not have a EngineLocalConfig object 
available (paths are wrong, etc), so if it is initialized statically, the unit 
test will just blow up with exceptions. That is why we mock it out, which is 
impossible if it is statically initialized.
Line 51:     }
Line 52: 
Line 53:     private String getMyParameter(String name, HttpServletRequest 
request) {
Line 54:         String value;


Line 85:             }
Line 86: 
Line 87:             if (alias == null) {
Line 88:                 alias = details.alias;
Line 89:             }
My issue is that the parameter is more or less returned to the user the way it 
was passed in, which is a classic XSS issue. Of course since the output is not 
HTML there is no XSS, but limiting the alias to lets say alphas and maybe 
dashes, shoud avoid any potential security issues.
Line 90: 
Line 91:             try (InputStream in = new FileInputStream(details.file)) {
Line 92: 
Line 93:                 final Certificate certificate =  
CertificateFactory.getInstance("X.509").generateCertificate(in);


-- 
To view, visit http://gerrit.ovirt.org/20787
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: Iac544335e1a0c01388eae23405d83bdac4704d34
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Alexander Wels <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Eli Mesika <[email protected]>
Gerrit-Reviewer: Itamar Heim <[email protected]>
Gerrit-Reviewer: Sandro Bonazzola <[email protected]>
Gerrit-Reviewer: oVirt Jenkins CI Server
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to