[teiid-issues] [JBoss JIRA] (TEIID-4090) Issue with entitysets/properties ending in auth or token
Steven Hawkins (JIRA)
issues at jboss.org
Thu Jun 9 15:32:00 EDT 2016
[ https://issues.jboss.org/browse/TEIID-4090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13250544#comment-13250544 ]
Steven Hawkins commented on TEIID-4090:
---------------------------------------
> I can not seem to remember the reason I added the "static" content servlet?
I can't find anything related to the commit comment - https://issues.jboss.org/issues/?jql=issuekey%20in%20(TEIID-4090%2C%20%20TEIID-3962%2C%20TEIID-4060%2C%20TEIID-4059%2C%20TEIID-4039%2C%20TEIID-4055%2C%20TEIID-3782)
It seems like it needs to be more secure - allowing any resource to be read from the classpath is a security issue. Did you add it for debugging or perhaps for other security work?
> Issue with entitysets/properties ending in auth or token
> --------------------------------------------------------
>
> Key: TEIID-4090
> URL: https://issues.jboss.org/browse/TEIID-4090
> Project: Teiid
> Issue Type: Bug
> Components: OData
> Affects Versions: 8.12
> Reporter: Steven Hawkins
> Assignee: Ramesh Reddy
> Fix For: 9.0, 8.12.5
>
>
> To handle oauth, we are check for uri.endsWith("auth") || uri.endsWith("token") - however valid uris can end with those characters as well. An ioexception will be thrown instead of seeing the expected results - we also need to not simply throw an ioexception in ODataServlet as there is no server log of the exception and the client sees a 500 error.
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the teiid-issues
mailing list