February 2017 - jboss-jira - Jboss List Archives

[JBoss JIRA] (WFLY-8158) JSP source code leak when space and periods added at the end of the URL

by Markus Markus (JIRA)

[ https://issues.jboss.org/browse/WFLY-8158?page=com.atlassian.jira.plugin.... ] Markus Markus commented on WFLY-8158: ------------------------------------- Note: we have +not+ tried to find out if the error is present on any other WildFly version (because we do not use any other WildFly version for the particular use case where this bug is of importance to us) > JSP source code leak when space and periods added at the end of the URL > ----------------------------------------------------------------------- > > Key: WFLY-8158 > URL: https://issues.jboss.org/browse/WFLY-8158 > Project: WildFly > Issue Type: Bug > Components: Web (Undertow) > Affects Versions: 8.2.0.Final > Environment: WildFly executing on Windows > Reporter: Markus Markus > Assignee: Stuart Douglas > Priority: Blocker > > All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser. > {code} > http://localhost:8080/application/HostPage.jsp%2E > http://localhost:8080/application/HostPage.jsp%2E%2E > http://localhost:8080/application/HostPage.jsp%20%2E > http://localhost:8080/application/HostPage.jsp%20%2E%2E > {code} > The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-wh...], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename...] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8158) JSP source code leak when space and periods added at the end of the URL

by Markus Markus (JIRA)

Markus Markus created WFLY-8158: ----------------------------------- Summary: JSP source code leak when space and periods added at the end of the URL Key: WFLY-8158 URL: https://issues.jboss.org/browse/WFLY-8158 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 8.2.0.Final Environment: WildFly executing on Windows Reporter: Markus Markus Assignee: Stuart Douglas Priority: Blocker All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser. {code} http://localhost:8080/application/HostPage.jsp%2E http://localhost:8080/application/HostPage.jsp%2E%2E http://localhost:8080/application/HostPage.jsp%20%2E http://localhost:8080/application/HostPage.jsp%20%2E%2E {code} The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: [here|http://stackoverflow.com/questions/17746494/why-is-directory-name-wh...], [and here|http://stackoverflow.com/questions/11681207/how-to-create-a-filename...] because {{io.undertow.server.handlers.resource.FileResourceManager.getResource()}} delegates to {{java.io.File}} to test whether a file path is valid or not, and {{java.io.File}} does presumably delegate to Windows. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (ELY-880) Unable to set IPv6 address in Elytron authentication context match-host rule

by Tomas Hofman (JIRA)

[ https://issues.jboss.org/browse/ELY-880?page=com.atlassian.jira.plugin.sy... ] Tomas Hofman reassigned ELY-880: -------------------------------- Assignee: Tomas Hofman > Unable to set IPv6 address in Elytron authentication context match-host rule > ---------------------------------------------------------------------------- > > Key: ELY-880 > URL: https://issues.jboss.org/browse/ELY-880 > Project: WildFly Elytron > Issue Type: Bug > Components: Authentication Client > Affects Versions: 1.1.0.Beta18 > Reporter: Martin Choma > Assignee: Tomas Hofman > > Setting IPv6 address in wildfly-config.xml cause validation error. > {code:xml|title=wildfly-config.xml} > <?xml version="1.0" encoding="UTF-8"?> > <authentication-client xmlns="urn:elytron:1.0"> > <authentication-configurations> > <configuration name="set-host-to-localhost"> > <set-host name="localhost"/> > </configuration> > </authentication-configurations> > <authentication-rules> > <rule use-configuration="set-host-to-localhost"> > <match-host name="::1"/> > </rule> > </authentication-rules> > </authentication-client> > {code} > {code:title=server.log} > java.lang.IllegalArgumentException: ELY01029: Invalid host specification "::1" > at org.wildfly.security.auth.client.MatchHostRule.<init>(MatchHostRule.java:39) > at org.wildfly.security.auth.client.MatchRule.matchHost(MatchRule.java:411) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAbstractMatchRuleType(ElytronXmlParser.java:701) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationRuleType(ElytronXmlParser.java:467) > at org.wildfly.security.auth.client.ElytronXmlParser.parseRulesType(ElytronXmlParser.java:484) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientType(ElytronXmlParser.java:241) > at org.wildfly.security.auth.client.ElytronXmlParser.parseAuthenticationClientConfiguration(ElytronXmlParser.java:169) > at org.wildfly.security.auth.client.XmlConfigurationTest.testMatcHostRuleConfiguration(XmlConfigurationTest.java:175) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:497) > at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47) > at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) > at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44) > at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) > at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271) > at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70) > at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50) > at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238) > at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63) > at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236) > at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53) > at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229) > at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) > at org.junit.internal.runners.statements.RunAfters.evaluate(RunAfters.java:27) > at org.junit.runners.ParentRunner.run(ParentRunner.java:309) > at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:367) > at org.apache.maven.surefire.junit4.JUnit4Provider.executeWithRerun(JUnit4Provider.java:274) > at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:238) > at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:161) > at org.apache.maven.surefire.booter.ForkedBooter.invokeProviderInSameClassLoader(ForkedBooter.java:290) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:242) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:121) > {code} > It is because of elytron validation [1]. However don't know if just allowing ":" in regexp is valid solution. > [1] https://github.com/wildfly-security/wildfly-elytron/blob/7debbcabc7c20be5... -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (DROOLS-1443) Improve effect of caching in ChainedProperties.

by Mario Fusco (JIRA)

[ https://issues.jboss.org/browse/DROOLS-1443?page=com.atlassian.jira.plugi... ] Mario Fusco commented on DROOLS-1443: ------------------------------------- What you're suggesting sounds interesting but it is not entirely clear to me. In particular I don't understand how you could implement meaningful hashcode and equals methods on a ClassLoader. If you already implemented this could you maybe send a pull request with what you did or at least paste it somewhere? Thank you. > Improve effect of caching in ChainedProperties. > ------------------------------------------------- > > Key: DROOLS-1443 > URL: https://issues.jboss.org/browse/DROOLS-1443 > Project: Drools > Issue Type: Enhancement > Components: core engine > Reporter: Hans Lund > Assignee: Mario Fusco > Priority: Minor > > The ChainedProperties utility has a caching setting that will cache the classpath discovery of property resource - but not the parsing of these resources. > This utility is a hot spot for the initialization of runtime environments - caching the parsed properties instead of the resource url will improve runtime performance. > Changing the caching strategy will make hot changes to classpath property resources impossible. File based property files could be made safe cacheable by investigating file metadata and only read if changed. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8141) CachedConnectionManager add operation excepts no parameters anymore

by Alexey Loubyansky (JIRA)

[ https://issues.jboss.org/browse/WFLY-8141?page=com.atlassian.jira.plugin.... ] Alexey Loubyansky commented on WFLY-8141: ----------------------------------------- The workaround will be to disable operation request validation in the cli, i.e. validate-option-requests in jboss-cli.xml. But the issue has to be addressed in the JCA. > CachedConnectionManager add operation excepts no parameters anymore > ------------------------------------------------------------------- > > Key: WFLY-8141 > URL: https://issues.jboss.org/browse/WFLY-8141 > Project: WildFly > Issue Type: Bug > Components: Domain Management, JCA > Affects Versions: 11.0.0.Alpha1 > Reporter: Tomaz Cerar > Assignee: Ingo Weiss > Priority: Critical > > Fix for WFLY-2640 broke :add operation for cached-connection-manager > scipts that do > {noformat} > /profile=default-web/subsystem=jca/cached-connection-manager=cached-connection-manager:add(install="true") > {noformat} > {noformat} > /subsystem=jca/cached-connection-manager=cached-connection-manager:add(install="true") > {noformat} > now fail with > {{Operation 'add' does not expect any property.}} > This breaks our quickstarts -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFCORE-2307) Rename wildfly-elytron-tool.jar to elytron-tool.jar to be consistent with other jars in bin directory

by Martin Švehla (JIRA)

[ https://issues.jboss.org/browse/WFCORE-2307?page=com.atlassian.jira.plugi... ] Martin Švehla moved JBEAP-8921 to WFCORE-2307: ---------------------------------------------- Project: WildFly Core (was: JBoss Enterprise Application Platform) Key: WFCORE-2307 (was: JBEAP-8921) Workflow: GIT Pull Request workflow (was: CDW with loose statuses v1) Component/s: Security (was: Security) Affects Version/s: (was: 7.1.0.DR12) > Rename wildfly-elytron-tool.jar to elytron-tool.jar to be consistent with other jars in bin directory > ----------------------------------------------------------------------------------------------------- > > Key: WFCORE-2307 > URL: https://issues.jboss.org/browse/WFCORE-2307 > Project: WildFly Core > Issue Type: Bug > Components: Security > Reporter: Martin Švehla > Assignee: Peter Skopek > > We should consider dropping wildfly prefix, as we're generally trying to avoid having that > See for example https://issues.jboss.org/browse/WFCORE-1302 for similar issue (the jira si related to renaming wildfly-launcher.jar to launcher.jar). -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8157) Synchronize XSD and DMR description of credential-store attributes

by Martin Choma (JIRA)

[ https://issues.jboss.org/browse/WFLY-8157?page=com.atlassian.jira.plugin.... ] Martin Choma updated WFLY-8157: ------------------------------- Description: Use XSD description in DMR description, because description in XSD is better for attributes * provider-name * providers * other-providers * relative-to * uri (DMR description contains wrong vault://) For {{type}} attribute use this description in both XSD and DMR: "The credential store type, e.g. KeyStoreCredentialStore" . Now there is mentioned wrongly KeyStorePasswordStore {code:xml|title=XSD} <xs:attribute name="type" type="xs:string" use="optional"> <xs:annotation> <xs:documentation> The credential store type, e.g. KeyStorePasswordStore. </xs:documentation> </xs:annotation> </xs:attribute> {code} was: Use XSD description in DMR description, because description in XSD is better for attributes * provider-name * providers * other-providers * relative-to * uri ** (DMR description contains wrong vault://) For type use this description in both XSD and DMR: * The credential store type, e.g. KeyStoreCredentialStore ** There is mentioned wrong KeyStorePasswordStore > Synchronize XSD and DMR description of credential-store attributes > ------------------------------------------------------------------ > > Key: WFLY-8157 > URL: https://issues.jboss.org/browse/WFLY-8157 > Project: WildFly > Issue Type: Bug > Components: Security > Reporter: Martin Choma > Assignee: Darran Lofthouse > Labels: credential-store > > Use XSD description in DMR description, because description in XSD is better for attributes > * provider-name > * providers > * other-providers > * relative-to > * uri (DMR description contains wrong vault://) > For {{type}} attribute use this description in both XSD and DMR: "The credential store type, e.g. KeyStoreCredentialStore" . Now there is mentioned wrongly KeyStorePasswordStore > {code:xml|title=XSD} > <xs:attribute name="type" type="xs:string" use="optional"> > <xs:annotation> > <xs:documentation> > The credential store type, e.g. KeyStorePasswordStore. > </xs:documentation> > </xs:annotation> > </xs:attribute> > {code} -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8157) Synchronize XSD and DMR description of credential-store attributes

by Martin Choma (JIRA)

Martin Choma created WFLY-8157: ---------------------------------- Summary: Synchronize XSD and DMR description of credential-store attributes Key: WFLY-8157 URL: https://issues.jboss.org/browse/WFLY-8157 Project: WildFly Issue Type: Bug Components: Security Reporter: Martin Choma Assignee: Darran Lofthouse Use XSD description in DMR description, because description in XSD is better for attributes * provider-name * providers * other-providers * relative-to * uri ** (DMR description contains wrong vault://) For type use this description in both XSD and DMR: * The credential store type, e.g. KeyStoreCredentialStore ** There is mentioned wrong KeyStorePasswordStore -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (DROOLS-1442) ServiceRegistry references non existent classes

by Mario Fusco (JIRA)

[ https://issues.jboss.org/browse/DROOLS-1442?page=com.atlassian.jira.plugi... ] Mario Fusco resolved DROOLS-1442. --------------------------------- Fix Version/s: 7.0.0.CR1 Resolution: Done Fixed by https://github.com/droolsjbpm/droolsjbpm-knowledge/commit/a988de4491074f4... and https://github.com/droolsjbpm/drools/commit/df070474e8fbeef838f9be303d5ba... > ServiceRegistry references non existent classes > ----------------------------------------------- > > Key: DROOLS-1442 > URL: https://issues.jboss.org/browse/DROOLS-1442 > Project: Drools > Issue Type: Bug > Reporter: Anton Giertli > Assignee: Mario Fusco > Fix For: 7.0.0.CR1 > > > This code > {code:java} > SystemEventListener listener = SystemEventListenerFactory.getSystemEventListener(); > {code} > Fails with: > Caused by: java.lang.ClassNotFoundException: org.drools.core.impl.SystemEventListenerServiceImpl > Because ServiceRegistryImpl > https://github.com/droolsjbpm/droolsjbpm-knowledge/blob/master/kie-intern... > references class SystemEventListenerServiceImpl which does not exist anymore in drools-core. > The interface SystemEventListenerService still exists in kie-internal but there is no implementation whatsoever in drools. > First impression is that both SystemEventListenerService + SystemEventListenerServiceImpl are "dead" code and should probably be removed. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

[JBoss JIRA] (WFLY-8142) Review & update ejb-multi-server documents

by Tomaz Cerar (JIRA)

[ https://issues.jboss.org/browse/WFLY-8142?page=com.atlassian.jira.plugin.... ] Tomaz Cerar commented on WFLY-8142: ----------------------------------- For "both" as after sync is done they will be the same. This is here just for tracking now, as it needs to be done before .GA as currently this whole QS is a big mess and doesn't work at all so needs to be fixed first. > Review & update ejb-multi-server documents > ------------------------------------------ > > Key: WFLY-8142 > URL: https://issues.jboss.org/browse/WFLY-8142 > Project: WildFly > Issue Type: Enhancement > Components: Quickstarts > Reporter: Tomaz Cerar > Assignee: Sande Gilda > > Currently it references bunch of warnings / errors with its jiras. > But those jiras ware fixed and there is no need to keep that in docs. -- This message was sent by Atlassian JIRA (v7.2.3#72005)

9 years, 2 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira February 2017