[JBoss JIRA] (SRAMPUI-68) Create Dashboard page
by Eric Wittmann (JIRA)
Eric Wittmann created SRAMPUI-68:
------------------------------------
Summary: Create Dashboard page
Key: SRAMPUI-68
URL: https://issues.jboss.org/browse/SRAMPUI-68
Project: S-RAMP UI
Issue Type: Feature Request
Components: View
Reporter: Eric Wittmann
Fix For: Milestone 4
We're planning on a shared top navigation header for all Overlord projects. Once this is done, the S-RAMP browser should have a Dashboard which will be a starting point for navigation. Artifacts, Ontologies, and Settings will have sections on the Dashboard.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months
[JBoss JIRA] (SRAMPUI-67) Artifacts Page - add multi-select with Actions drop-down
by Eric Wittmann (JIRA)
Eric Wittmann created SRAMPUI-67:
------------------------------------
Summary: Artifacts Page - add multi-select with Actions drop-down
Key: SRAMPUI-67
URL: https://issues.jboss.org/browse/SRAMPUI-67
Project: S-RAMP UI
Issue Type: Feature Request
Reporter: Eric Wittmann
Assignee: Eric Wittmann
Fix For: Future (Unscheduled)
Currently artifacts cannot be selected. We need to support multi-select. Once that is done, the actions drop-down should be restored and implemented (e.g. Download, Delete, etc...)
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months
[JBoss JIRA] (SRAMP-178) Trusting MIME type sent from clients is dangerous
by Eric Wittmann (JIRA)
[ https://issues.jboss.org/browse/SRAMP-178?page=com.atlassian.jira.plugin.... ]
Eric Wittmann resolved SRAMP-178.
---------------------------------
Resolution: Done
> Trusting MIME type sent from clients is dangerous
> -------------------------------------------------
>
> Key: SRAMP-178
> URL: https://issues.jboss.org/browse/SRAMP-178
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Client
> Affects Versions: 0.1.1
> Reporter: Lukas Krejci
> Assignee: Kurt Stam
> Fix For: 0.2.0 - Milestone 4
>
>
> While uploading artifact to the repository, the S-RAMP server completely trusts the client with the supplied mime type and uses it from thereafter.
> This also includes the time when the artifact is downloaded from S-RAMP server.
> This is quite dangerous, IMHO, because it gives the potential attackers the means for making certain types of files look like something they aren't. This could be a nice vector to exploiting vulnerabilities in applications that then open such files.
> For example, consider this command:
> curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary @tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
> This will create an artifact called "wha.pkg" in the repository, which will have the stored content type of "image/png" but the actual data will be a PDF.
> IMHO, the mime type detection should be purely a server-side affair ignoring any hints of mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months
[JBoss JIRA] (SRAMP-178) Trusting MIME type sent from clients is dangerous
by Eric Wittmann (JIRA)
[ https://issues.jboss.org/browse/SRAMP-178?page=com.atlassian.jira.plugin.... ]
Eric Wittmann closed SRAMP-178.
-------------------------------
> Trusting MIME type sent from clients is dangerous
> -------------------------------------------------
>
> Key: SRAMP-178
> URL: https://issues.jboss.org/browse/SRAMP-178
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Client
> Affects Versions: 0.1.1
> Reporter: Lukas Krejci
> Assignee: Kurt Stam
> Fix For: 0.2.0 - Milestone 4
>
>
> While uploading artifact to the repository, the S-RAMP server completely trusts the client with the supplied mime type and uses it from thereafter.
> This also includes the time when the artifact is downloaded from S-RAMP server.
> This is quite dangerous, IMHO, because it gives the potential attackers the means for making certain types of files look like something they aren't. This could be a nice vector to exploiting vulnerabilities in applications that then open such files.
> For example, consider this command:
> curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary @tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
> This will create an artifact called "wha.pkg" in the repository, which will have the stored content type of "image/png" but the actual data will be a PDF.
> IMHO, the mime type detection should be purely a server-side affair ignoring any hints of mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months
[JBoss JIRA] (SRAMP-178) Trusting MIME type sent from clients is dangerous
by Eric Wittmann (JIRA)
[ https://issues.jboss.org/browse/SRAMP-178?page=com.atlassian.jira.plugin.... ]
Eric Wittmann updated SRAMP-178:
--------------------------------
Git Pull Request: https://github.com/Governance/s-ramp/pull/221
> Trusting MIME type sent from clients is dangerous
> -------------------------------------------------
>
> Key: SRAMP-178
> URL: https://issues.jboss.org/browse/SRAMP-178
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Client
> Affects Versions: 0.1.1
> Reporter: Lukas Krejci
> Assignee: Kurt Stam
> Fix For: 0.2.0 - Milestone 4
>
>
> While uploading artifact to the repository, the S-RAMP server completely trusts the client with the supplied mime type and uses it from thereafter.
> This also includes the time when the artifact is downloaded from S-RAMP server.
> This is quite dangerous, IMHO, because it gives the potential attackers the means for making certain types of files look like something they aren't. This could be a nice vector to exploiting vulnerabilities in applications that then open such files.
> For example, consider this command:
> curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary @tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
> This will create an artifact called "wha.pkg" in the repository, which will have the stored content type of "image/png" but the actual data will be a PDF.
> IMHO, the mime type detection should be purely a server-side affair ignoring any hints of mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months
[JBoss JIRA] (SRAMP-178) Trusting MIME type sent from clients is dangerous
by Eric Wittmann (JIRA)
[ https://issues.jboss.org/browse/SRAMP-178?page=com.atlassian.jira.plugin.... ]
Eric Wittmann commented on SRAMP-178:
-------------------------------------
You're right, I did. :)
Things look good so I'm going to close out this issue.
> Trusting MIME type sent from clients is dangerous
> -------------------------------------------------
>
> Key: SRAMP-178
> URL: https://issues.jboss.org/browse/SRAMP-178
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Client
> Affects Versions: 0.1.1
> Reporter: Lukas Krejci
> Assignee: Kurt Stam
> Fix For: 0.2.0 - Milestone 4
>
>
> While uploading artifact to the repository, the S-RAMP server completely trusts the client with the supplied mime type and uses it from thereafter.
> This also includes the time when the artifact is downloaded from S-RAMP server.
> This is quite dangerous, IMHO, because it gives the potential attackers the means for making certain types of files look like something they aren't. This could be a nice vector to exploiting vulnerabilities in applications that then open such files.
> For example, consider this command:
> curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary @tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
> This will create an artifact called "wha.pkg" in the repository, which will have the stored content type of "image/png" but the actual data will be a PDF.
> IMHO, the mime type detection should be purely a server-side affair ignoring any hints of mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months
[JBoss JIRA] (SRAMP-178) Trusting MIME type sent from clients is dangerous
by Lukas Krejci (JIRA)
[ https://issues.jboss.org/browse/SRAMP-178?page=com.atlassian.jira.plugin.... ]
Lukas Krejci commented on SRAMP-178:
------------------------------------
Well, you merged my pull request: https://github.com/Governance/s-ramp/pull/221
That doesn't mean I didn't introduce any new bugs ;)
Nevertheless, S-RAMP server should now use Tika to assign MIME types of the uploaded artifacts.
> Trusting MIME type sent from clients is dangerous
> -------------------------------------------------
>
> Key: SRAMP-178
> URL: https://issues.jboss.org/browse/SRAMP-178
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Client
> Affects Versions: 0.1.1
> Reporter: Lukas Krejci
> Assignee: Kurt Stam
> Fix For: 0.2.0 - Milestone 4
>
>
> While uploading artifact to the repository, the S-RAMP server completely trusts the client with the supplied mime type and uses it from thereafter.
> This also includes the time when the artifact is downloaded from S-RAMP server.
> This is quite dangerous, IMHO, because it gives the potential attackers the means for making certain types of files look like something they aren't. This could be a nice vector to exploiting vulnerabilities in applications that then open such files.
> For example, consider this command:
> curl -H 'Content-Type: image/png' -H 'Slug: wha.pkg' --data-binary @tmp.pdf 'http://localhost:8080/s-ramp-server/s-ramp/core/Document'
> This will create an artifact called "wha.pkg" in the repository, which will have the stored content type of "image/png" but the actual data will be a PDF.
> IMHO, the mime type detection should be purely a server-side affair ignoring any hints of mimetype sent in by the clients.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 8 months