[jboss-jira] [JBoss JIRA] (SECURITY-650) auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
Tom Fonteyne (JIRA)
jira-events at lists.jboss.org
Thu Mar 8 06:00:38 EST 2012
Tom Fonteyne created SECURITY-650:
-------------------------------------
Summary: auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
Key: SECURITY-650
URL: https://issues.jboss.org/browse/SECURITY-650
Project: PicketBox (JBoss Security and Identity Management)
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: PicketBox
Affects Versions: JBossSecurity_2.0.4.SP9
Reporter: Tom Fonteyne
Assignee: Anil Saldhana
Priority: Minor
Fix For: PicketBox_v4_0_8.Final
auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
See: jbosssx/ src/ main/ java/ org/ jboss/ security/ authorization/ resources/ WebResource.java
Headers filter:
180 if(headerName.contains("authorization") == false)
181 sb.append(httpRequest.getHeader(headerName)).append(",");
No filtering for params:
197 sb.append(paramValues[i]).append("::");
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list