[jira] [Commented] (NIFI-5442) Message Page uses raw X-ProxyContextPath

Mon, 30 Jul 2018 11:56:24 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16562363#comment-16562363
 ] 

ASF GitHub Bot commented on NIFI-5442:
--------------------------------------

Github user mcg30005 commented on the issue:

    https://github.com/apache/nifi/pull/2908
  
    +1
    Hi Andy, PR looks really good, i asked Shawna to take a look as well since 
she has way more experience in this area. One question that we had was what 
page render will do with empty init str, we're going to patch and try this.


> Message Page uses raw X-ProxyContextPath
> ----------------------------------------
>
>                 Key: NIFI-5442
>                 URL: https://issues.apache.org/jira/browse/NIFI-5442
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.6.0
>            Reporter: Dan Fike
>            Assignee: Andy LoPresto
>            Priority: Major
>
> It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim 
> without sanitizing it or anything. See 
> [https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
>  
> I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured 
> NiFi host to get the *User authentication/authorization is only supported 
> when running over HTTPS* message page.
>  
> {code:java}
> $ curl http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" 
> type="text/css" />
> ...
> $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\" 
> type=\"text/css\" /><script 
> type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\" 
> href=\"" http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" 
> type="text/css" /><script type="text/javascript">alert("omg");</script><link 
> rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
> ...{code}
>  
> Presumably we want to do something like this: 
> [https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to