[jira] [Updated] (SHINDIG-1879) security issue with gadgets.io.proxiedMultipartFormPost

Tue, 09 Oct 2012 20:22:07 -0700 

     [ 
https://issues.apache.org/jira/browse/SHINDIG-1879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Marshall Shi updated SHINDIG-1879:
----------------------------------

    Attachment: EH.patch

Attached is the proposed fix.
                
> security issue with gadgets.io.proxiedMultipartFormPost
> -------------------------------------------------------
>
>                 Key: SHINDIG-1879
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1879
>             Project: Shindig
>          Issue Type: Bug
>          Components: Java, Javascript 
>    Affects Versions: 2.5.0-beta5
>            Reporter: Marshall Shi
>         Attachments: EH.patch
>
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> The file upload API provided by gadgets.io.proxiedMultipartFormPost exposes a 
> security risk. 
> var query = {
>     'MPFP': 1, // This will force an alternate route in the makeRequest proxy 
> endpoint
>     'url': url,
>     'httpMethod': 'POST',
>     'headers': gadgets.io.encodeValues(headers, false),
>     'authz': auth || '',
>     'st': st,
>     'contentType': params['CONTENT_TYPE'] || 'TEXT',
>     'signOwner': signOwner,
>     'signViewer': signViewer,
>     // should we bypass gadget spec cache (e.g. to read OAuth provider URLs)
>     'bypassSpecCache': gadgets.util.getUrlParameters()['nocache'] || '',
>     'getFullHeaders': !!params['GET_FULL_HEADERS']
>  };
> ...
>  var proxyUrl = config['jsonProxyUrl'].replace('%host%', 
> document.location.host) + '?' + gadgets.io.encodeValues(query);
> Sensitive info like security token will be added in the proxy url. If an 
> attacker can view HTTP server or intermediate proxy logs or access a user's 
> browser history, they are provided with the current values of these tokens 
> for that user.
> The proposed fix is to create a hidden field in the form user wants to post, 
> the value of the hidden field will be the query string in JSON format. Once 
> the form is submitted, the hidden filed will be removed. In Shindig server, 
> process the stream of the multipart form and extract the hidden field value 
> for the rest of the request processing. A new stream with the original 
> multipart form data will be sent to remote server.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to