[Engine-patches] Change in ovirt-engine[master]: core: Protect GetAttachmentServlet from response splitting a...

[ofrenkel]

Omer Frenkel has submitted this change and it was merged.

Change subject: core: Protect GetAttachmentServlet from response splitting 
attack
......................................................................


core: Protect GetAttachmentServlet from response splitting attack

Current version of GetAttachmentServlet inserts given filename directly to http
response header, which allows code splitting.
This patch fixes it by url-encoding the given filename.

Change-Id: I90dd7d95879342d70cfbb43c49d128457aebc35e
Signed-off-by: Frantisek Kobzik <fkob...@redhat.com>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=843410
---
M 
backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java
1 file changed, 3 insertions(+), 2 deletions(-)

Approvals:
  Omer Frenkel: Verified; Looks good to me, approved


--
To view, visit http://gerrit.ovirt.org/12671
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I90dd7d95879342d70cfbb43c49d128457aebc35e
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Frank Kobzik <fkob...@redhat.com>
Gerrit-Reviewer: Arik Hadas <aha...@redhat.com>
Gerrit-Reviewer: Frank Kobzik <fkob...@redhat.com>
Gerrit-Reviewer: Omer Frenkel <ofren...@redhat.com>
Gerrit-Reviewer: Tomas Jelinek <tjeli...@redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com>
_______________________________________________
Engine-patches mailing list
Engine-patches@ovirt.org
http://lists.ovirt.org/mailman/listinfo/engine-patches