[jira] [Commented] (NIFI-5442) Message Page uses raw X-ProxyContextPath

Wed, 01 Aug 2018 09:12:21 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16565559#comment-16565559
 ] 

ASF subversion and git services commented on NIFI-5442:
-------------------------------------------------------

Commit e62aa0252dfcf34dff0c3a9c51265b1d0f9dfc9f in nifi's branch 
refs/heads/master from [~alopresto]
[ https://git-wip-us.apache.org/repos/asf?p=nifi.git;h=e62aa02 ]

NIFI-5442 Get X-ProxyContextPath value from request attributes rather than 
directly from headers.
NIFI-5442 Populate request contextPath attribute during AccessResource before 
displaying on message-page.jsp.
Refactored shared code from CatchAllFilter to WebUtils.
NIFI-5442 Refactored filter and context path code to shared parent filter and 
subclass.
NIFI-5442 Removed unnecessary initParams from nifi-web-ui web.xml.
NIFI-5442 Added explicit dispatchers to nifi-web-ui web.xml and removed 
unnecessary code from AccessResource.

This closes #2908


> Message Page uses raw X-ProxyContextPath
> ----------------------------------------
>
>                 Key: NIFI-5442
>                 URL: https://issues.apache.org/jira/browse/NIFI-5442
>             Project: Apache NiFi
>          Issue Type: Bug
>          Components: Core Framework
>    Affects Versions: 1.6.0
>            Reporter: Dan Fike
>            Assignee: Andy LoPresto
>            Priority: Major
>
> It looks like {{message-page.jsp}} uses {{X-ProxyContextPath}} verbatim 
> without sanitizing it or anything. See 
> [https://github.com/apache/nifi/blob/66783c18b24b1c6b1cfd662c58ca9df1e60b866e/nifi-nar-bundles/nifi-framework-bundle/nifi-framework/nifi-web/nifi-web-ui/src/main/webapp/WEB-INF/pages/message-page.jsp#L21]
>  
> I verified this by hitting {{/nifi-api/access/oidc/callback}} on an unsecured 
> NiFi host to get the *User authentication/authorization is only supported 
> when running over HTTPS* message page.
>  
> {code:java}
> $ curl http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" 
> type="text/css" />
> ...
> $ curl --header "X-ProxyContextPath: /nifi/assets/reset.css/reset.css\" 
> type=\"text/css\" /><script 
> type=\"text/javascript\">alert(\"omg\");</script><link rel=\"stylesheet\" 
> href=\"" http://hostname/nifi-api/access/oidc/callback
> ...
> <link rel="stylesheet" href="/nifi/assets/reset.css/reset.css" 
> type="text/css" /><script type="text/javascript">alert("omg");</script><link 
> rel="stylesheet" href="/nifi/assets/reset.css/reset.css" type="text/css" />
> ...{code}
>  
> Presumably we want to do something like this: 
> [https://github.com/apache/nifi/commit/5d643edfaba4f5369c94ee1b4eaa5c59e3a9f37a#diff-91119fe15bb6f3b931662093e367b671R20]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to