[jira] [Commented] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976360#comment-16976360 ] ASF subversion and git services commented on ARIES-1934: Commit e8477faa3f37b7b1cab61e634137224552978f80 in aries's branch refs/heads/trunk from Colm O hEigeartaigh [ https://gitbox.apache.org/repos/asf?p=aries.git;h=e8477fa ] ARIES-1934 - Make sure jar/zip files are jailed to the destination directory > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976362#comment-16976362 ] ASF subversion and git services commented on ARIES-1934: Commit 9ef209c8d5cc684261efb3e18a5cf961f4ab2f00 in aries's branch refs/heads/trunk from Christian Schneider [ https://gitbox.apache.org/repos/asf?p=aries.git;h=9ef209c ] Merge pull request #102 from coheigea/ARIES-1934 ARIES-1934 - Make sure jar/zip files are jailed to the destination di… > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976361#comment-16976361 ] ASF subversion and git services commented on ARIES-1934: Commit 9ef209c8d5cc684261efb3e18a5cf961f4ab2f00 in aries's branch refs/heads/trunk from Christian Schneider [ https://gitbox.apache.org/repos/asf?p=aries.git;h=9ef209c ] Merge pull request #102 from coheigea/ARIES-1934 ARIES-1934 - Make sure jar/zip files are jailed to the destination di… > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christian Schneider resolved ARIES-1934. Fix Version/s: spifly-1.2.4 Resolution: Fixed > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Fix For: spifly-1.2.4 > > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christian Schneider reassigned ARIES-1934: -- Assignee: Christian Schneider > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARIES-1887) org.apache.aries.transaction.blueprint is not thread safe
[
https://issues.apache.org/jira/browse/ARIES-1887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976358#comment-16976358
]
Christian Schneider commented on ARIES-1887:
I was just going through the old PRs. Any news about this one? [~jbonofre]
> org.apache.aries.transaction.blueprint is not thread safe
> -
>
> Key: ARIES-1887
> URL: https://issues.apache.org/jira/browse/ARIES-1887
> Project: Aries
> Issue Type: Bug
> Components: Transaction
>Affects Versions: transaction-blueprint-2.2.0
>Reporter: Nicolas Dutertry
>Assignee: Jean-Baptiste Onofré
>Priority: Major
> Fix For: transaction-blueprint-2.3.0
>
>
> The class ComponentTxData in org.apache.aries.transaction.blueprint uses a
> HashMap
> {code:java}
> private Map txMap = new
> HashMap();{code}
> This is very dangerous because txMap can be modified and accessed after
> initialization.
> It should be replaced with a ConcurrentHashMap.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
