[jira] [Commented] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976360#comment-16976360 ] ASF subversion and git services commented on ARIES-1934: Commit e8477faa3f37b7b1cab61e634137224552978f80 in aries's branch refs/heads/trunk from Colm O hEigeartaigh [ https://gitbox.apache.org/repos/asf?p=aries.git;h=e8477fa ] ARIES-1934 - Make sure jar/zip files are jailed to the destination directory > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976362#comment-16976362 ] ASF subversion and git services commented on ARIES-1934: Commit 9ef209c8d5cc684261efb3e18a5cf961f4ab2f00 in aries's branch refs/heads/trunk from Christian Schneider [ https://gitbox.apache.org/repos/asf?p=aries.git;h=9ef209c ] Merge pull request #102 from coheigea/ARIES-1934 ARIES-1934 - Make sure jar/zip files are jailed to the destination di… > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976361#comment-16976361 ] ASF subversion and git services commented on ARIES-1934: Commit 9ef209c8d5cc684261efb3e18a5cf961f4ab2f00 in aries's branch refs/heads/trunk from Christian Schneider [ https://gitbox.apache.org/repos/asf?p=aries.git;h=9ef209c ] Merge pull request #102 from coheigea/ARIES-1934 ARIES-1934 - Make sure jar/zip files are jailed to the destination di… > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christian Schneider resolved ARIES-1934. Fix Version/s: spifly-1.2.4 Resolution: Fixed > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Fix For: spifly-1.2.4 > > Time Spent: 20m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (ARIES-1934) Make sure jar/zip files are jailed to the destination directory
[ https://issues.apache.org/jira/browse/ARIES-1934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christian Schneider reassigned ARIES-1934: -- Assignee: Christian Schneider > Make sure jar/zip files are jailed to the destination directory > --- > > Key: ARIES-1934 > URL: https://issues.apache.org/jira/browse/ARIES-1934 > Project: Aries > Issue Type: Improvement >Reporter: Colm O hEigeartaigh >Assignee: Christian Schneider >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > There are a number of locations in Aries where we unzip a jar or zip file to > the filesystem, without checking that the all of the files are jailed to the > intended destination directory. This is a potential security issue as it > allows an attacked to overwrite files on the system outside of the intended > directory. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (ARIES-1887) org.apache.aries.transaction.blueprint is not thread safe
[ https://issues.apache.org/jira/browse/ARIES-1887?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16976358#comment-16976358 ] Christian Schneider commented on ARIES-1887: I was just going through the old PRs. Any news about this one? [~jbonofre] > org.apache.aries.transaction.blueprint is not thread safe > - > > Key: ARIES-1887 > URL: https://issues.apache.org/jira/browse/ARIES-1887 > Project: Aries > Issue Type: Bug > Components: Transaction >Affects Versions: transaction-blueprint-2.2.0 >Reporter: Nicolas Dutertry >Assignee: Jean-Baptiste Onofré >Priority: Major > Fix For: transaction-blueprint-2.3.0 > > > The class ComponentTxData in org.apache.aries.transaction.blueprint uses a > HashMap > {code:java} > private Map txMap = new > HashMap();{code} > This is very dangerous because txMap can be modified and accessed after > initialization. > It should be replaced with a ConcurrentHashMap. -- This message was sent by Atlassian Jira (v8.3.4#803005)