Marshall Shi created SHINDIG-1879:
-------------------------------------
Summary: security issue with gadgets.io.proxiedMultipartFormPost
Key: SHINDIG-1879
URL: https://issues.apache.org/jira/browse/SHINDIG-1879
Project: Shindig
Issue Type: Bug
Components: Java, Javascript
Affects Versions: 2.5.0-beta5
Reporter: Marshall Shi
The file upload API provided by gadgets.io.proxiedMultipartFormPost exposes a
security risk.
var query = {
'MPFP': 1, // This will force an alternate route in the makeRequest proxy
endpoint
'url': url,
'httpMethod': 'POST',
'headers': gadgets.io.encodeValues(headers, false),
'authz': auth || '',
'st': st,
'contentType': params['CONTENT_TYPE'] || 'TEXT',
'signOwner': signOwner,
'signViewer': signViewer,
// should we bypass gadget spec cache (e.g. to read OAuth provider URLs)
'bypassSpecCache': gadgets.util.getUrlParameters()['nocache'] || '',
'getFullHeaders': !!params['GET_FULL_HEADERS']
};
...
var proxyUrl = config['jsonProxyUrl'].replace('%host%',
document.location.host) + '?' + gadgets.io.encodeValues(query);
Sensitive info like security token will be added in the proxy url. If an
attacker can view HTTP server or intermediate proxy logs or access a user's
browser history, they are provided with the current values of these tokens for
that user.
The proposed fix is to create a hidden field in the form user wants to post,
the value of the hidden field will be the query string in JSON format. Once the
form is submitted, the hidden filed will be removed. In Shindig server, process
the stream of the multipart form and extract the hidden field value for the
rest of the request processing. A new stream with the original multipart form
data will be sent to remote server.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
