Security concern in the way to populate parameters map in the context
---------------------------------------------------------------------
Key: OFBIZ-3257
URL: https://issues.apache.org/jira/browse/OFBIZ-3257
Project: OFBiz
Issue Type: Bug
Components: framework
Affects Versions: SVN trunk
Reporter: Patrick Antivackis
In the parameters map available in the context, get or post parameters can
override session and application attributes.
The way to create the parameters map is the following in
UtilHttp.getCombinedMap :
combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
bottom level application attributes
combinedMap.putAll(getSessionMap(request, namesToSkip)); //
session overrides application
combinedMap.putAll(getParameterMap(request)); //
parameters override session
combinedMap.putAll(getAttributeMap(request)); //
attributes trump them all
I understand that session can override application attributes, but I dont
understand why Parameters can override them.
For example if you try the following :
https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml
You will be surprised. This also mean, that whatever personal configuration
parameters you are putting in the web.xml, they can be overriden by get or post
parameters.
I propose to do the following instead :
combinedMap.putAll(getParameterMap(request)); //
parameters shouldn't override anything
combinedMap.putAll(getServletContextMap(request, namesToSkip)); //
bottom level application attributes
combinedMap.putAll(getSessionMap(request, namesToSkip)); //
session overrides application
combinedMap.putAll(getAttributeMap(request)); //
attributes trump them all
What do you think ?
[from the dev list :
http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html]
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
