[jira] [Comment Edited] (ROL-1956) ValidateSaltFilter not working on file upload

Sun, 12 Jan 2014 03:00:52 -0800 

    [ 
https://issues.apache.org/jira/browse/ROL-1956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13868999#comment-13868999
 ] 

Greg Huber edited comment on ROL-1956 at 1/12/14 10:58 AM:
-----------------------------------------------------------

I remember seeing this a while back and it was fixed on the trunk.  I have done 
lots of media file uploads while testing and this not been an issue.  If you 
are still seeing this let me know and create another issue.

Cheers Greg.


was (Author: gregh99):
I remember seeing this a while back and it was fixed on the trunk.  I have done 
lots of media file uploads while testing and this not been an issue.  If you 
are still seeing this let me know.

Cheers Greg.

> ValidateSaltFilter not working on file upload
> ---------------------------------------------
>
>                 Key: ROL-1956
>                 URL: https://issues.apache.org/jira/browse/ROL-1956
>             Project: Apache Roller
>          Issue Type: Bug
>    Affects Versions: 5.1
>         Environment: java version "1.7.0_03"
> OpenJDK Runtime Environment (IcedTea7 2.1.3) (7u3-2.1.3-1)
> OpenJDK 64-Bit Server VM (build 22.0-b10, mixed mode)
> tomcat7                               7.0.28-3+nmu1
>            Reporter: Matthias Wimmer
>            Assignee: Greg Huber
>             Fix For: 5.1
>
>
> When I try to upload a media file to roller, I get a Sercurity Violation 
> thrown in org.apache.roller.weblogger.ui.core.filters.ValidateSaltFilter
> Debugging the problem I can see, that the salt is sent in the HTTP POST 
> request to http://example.com/roller-ui/authoring/mediaFileAdd!save.rol - but 
> the call to (String) httpReq.getParameter("salt") in 
> ValidateSaltFilter.doFilter does return null.
> I guess that this is what 
> http://docs.oracle.com/javaee/6/api/javax/servlet/ServletRequest.html 
> describes for the getParameter() method when it talks about the following:
> If the parameter data was sent in the request body, such as occurs with an 
> HTTP POST request, then reading the body directly via getInputStream() or 
> getReader() can interfere with the execution of this method.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to