[jira] Created: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
Locked
[jira] Created: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
 
|
Security concern in the way to populate parameters map in the context
--------------------------------------------------------------------- Key: OFBIZ-3257 URL: https://issues.apache.org/jira/browse/OFBIZ-3257 Project: OFBiz Issue Type: Bug Components: framework Affects Versions: SVN trunk Reporter: Patrick Antivackis In the parameters map available in the context, get or post parameters can override session and application attributes. The way to create the parameters map is the following in UtilHttp.getCombinedMap : combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application combinedMap.putAll(getParameterMap(request)); // parameters override session combinedMap.putAll(getAttributeMap(request)); // attributes trump them all I understand that session can override application attributes, but I dont understand why Parameters can override them. For example if you try the following : https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. I propose to do the following instead : combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application combinedMap.putAll(getAttributeMap(request)); // attributes trump them all What do you think ? [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
|
|
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782957#action_12782957 ] David E. Jones commented on OFBIZ-3257: --------------------------------------- My first thought was to make sure all code sensitive to things like this just doesn't use the parameters Maps that are around so much. Like the mainDecoratorLocation probably just should use that. On the other hand it's an interesting idea to allow any of the "internal" attributes to override the URL parameters. That changes the semantics a little bit, but may actually a really useful change. I've mulled this over a bit now and I can't think of any major issues with it, so I like it as a solution. If no one complains or comes up with a deal killer issue, I'd say we go for it. > Security concern in the way to populate parameters map in the context > --------------------------------------------------------------------- > > Key: OFBIZ-3257 > URL: https://issues.apache.org/jira/browse/OFBIZ-3257 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Patrick Antivackis > > In the parameters map available in the context, get or post parameters can override session and application attributes. > The way to create the parameters map is the following in UtilHttp.getCombinedMap : > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getParameterMap(request)); // parameters override session > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > I understand that session can override application attributes, but I dont understand why Parameters can override them. > For example if you try the following : > https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml > You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. > I propose to do the following instead : > combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > What do you think ? > [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782983#action_12782983 ] Jacques Le Roux commented on OFBIZ-3257: ---------------------------------------- What propose Patrick looks sound to me. But would this not have side-effects? I mean, is parameters overidding application and session never used (even if I agree it's not secure)? > Security concern in the way to populate parameters map in the context > --------------------------------------------------------------------- > > Key: OFBIZ-3257 > URL: https://issues.apache.org/jira/browse/OFBIZ-3257 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Patrick Antivackis > > In the parameters map available in the context, get or post parameters can override session and application attributes. > The way to create the parameters map is the following in UtilHttp.getCombinedMap : > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getParameterMap(request)); // parameters override session > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > I understand that session can override application attributes, but I dont understand why Parameters can override them. > For example if you try the following : > https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml > You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. > I propose to do the following instead : > combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > What do you think ? > [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782985#action_12782985 ] David E. Jones commented on OFBIZ-3257: --------------------------------------- It could have side-effects, but nowhere that I'm aware of. Most places rely on request attributes overriding request parameters, but I don't think anything relies on request parameters overriding session attributes or application/ServletContext attributes. It doesn't seem like a logical thing to do actually, so I don't think we'll find it done anywhere. > Security concern in the way to populate parameters map in the context > --------------------------------------------------------------------- > > Key: OFBIZ-3257 > URL: https://issues.apache.org/jira/browse/OFBIZ-3257 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Patrick Antivackis > > In the parameters map available in the context, get or post parameters can override session and application attributes. > The way to create the parameters map is the following in UtilHttp.getCombinedMap : > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getParameterMap(request)); // parameters override session > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > I understand that session can override application attributes, but I dont understand why Parameters can override them. > For example if you try the following : > https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml > You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. > I propose to do the following instead : > combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > What do you think ? > [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12782992#action_12782992 ] Jacques Le Roux commented on OFBIZ-3257: ---------------------------------------- So +1 for me too > Security concern in the way to populate parameters map in the context > --------------------------------------------------------------------- > > Key: OFBIZ-3257 > URL: https://issues.apache.org/jira/browse/OFBIZ-3257 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Patrick Antivackis > > In the parameters map available in the context, get or post parameters can override session and application attributes. > The way to create the parameters map is the following in UtilHttp.getCombinedMap : > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getParameterMap(request)); // parameters override session > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > I understand that session can override application attributes, but I dont understand why Parameters can override them. > For example if you try the following : > https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml > You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. > I propose to do the following instead : > combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > What do you think ? > [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Commented: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12783053#action_12783053 ] Patrick Antivackis commented on OFBIZ-3257: ------------------------------------------- Also parameters is the only way, that I am aware of, to easily get access of web.xml attributes in the screen context. Meaning that if you have an application that populate a "ownerParty" in the context through a screen.xml, based on a web.xml attribute, something like : <action> <entity-one value-field="ownerParty" entity-name="Party" auto-field-map="false"><field-map field-name="partyId" from-field="parameters.ownerPartyId"/></entity-one> </action> with ownerPartyId coming from the web.xml So if request params override servlet context params, we can not rely on the previous action. > Security concern in the way to populate parameters map in the context > --------------------------------------------------------------------- > > Key: OFBIZ-3257 > URL: https://issues.apache.org/jira/browse/OFBIZ-3257 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Patrick Antivackis > > In the parameters map available in the context, get or post parameters can override session and application attributes. > The way to create the parameters map is the following in UtilHttp.getCombinedMap : > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getParameterMap(request)); // parameters override session > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > I understand that session can override application attributes, but I dont understand why Parameters can override them. > For example if you try the following : > https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml > You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. > I propose to do the following instead : > combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > What do you think ? > [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
[jira] Closed: (OFBIZ-3257) Security concern in the way to populate parameters map in the context
|
|
In reply to this post by Nicolas Malin (Jira)
[ https://issues.apache.org/jira/browse/OFBIZ-3257?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] David E. Jones closed OFBIZ-3257. --------------------------------- Resolution: Fixed Fix Version/s: SVN trunk Assignee: David E. Jones Thanks for the idea Patrick. I've made this little change in the trunk in SVN rev 890831. For now I'm planning to not change this in the release branches. > Security concern in the way to populate parameters map in the context > --------------------------------------------------------------------- > > Key: OFBIZ-3257 > URL: https://issues.apache.org/jira/browse/OFBIZ-3257 > Project: OFBiz > Issue Type: Bug > Components: framework > Affects Versions: SVN trunk > Reporter: Patrick Antivackis > Assignee: David E. Jones > Fix For: SVN trunk > > > In the parameters map available in the context, get or post parameters can override session and application attributes. > The way to create the parameters map is the following in UtilHttp.getCombinedMap : > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getParameterMap(request)); // parameters override session > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > I understand that session can override application attributes, but I dont understand why Parameters can override them. > For example if you try the following : > https://localhost:8443/webtools/control/main?mainDecoratorLocation=component://ecommerce/widget/CommonScreens.xml > You will be surprised. This also mean, that whatever personal configuration parameters you are putting in the web.xml, they can be overriden by get or post parameters. > I propose to do the following instead : > combinedMap.putAll(getParameterMap(request)); // parameters shouldn't override anything > combinedMap.putAll(getServletContextMap(request, namesToSkip)); // bottom level application attributes > combinedMap.putAll(getSessionMap(request, namesToSkip)); // session overrides application > combinedMap.putAll(getAttributeMap(request)); // attributes trump them all > What do you think ? > [from the dev list : http://n4.nabble.com/Security-concern-in-the-way-to-populate-context-td787134.html] -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
«
Return to OFBiz - Dev
|
1 view|%1 views
| Free forum by Nabble | Edit this page |