Bug 724550 (BRMS-497)

Summary: BRMS Feed-Servlet: Log Injection with attachmentUUID parameter
Product: [JBoss] JBoss Enterprise BRMS Platform 5 Reporter: Len DiMaggio <ldimaggi>
Component: BRM (Guvnor), SecurityAssignee: manstis
Status: VERIFIED --- QA Contact: Lukáš Petrovický <lpetrovi>
Severity: medium Docs Contact:
Priority: medium    
Version: BRMS 5.2.0.GACC: atangrin, lpetrovi
Target Milestone: ---   
Target Release: BRMS 5.3.0.GA   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/BRMS-497
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Len DiMaggio 2010-12-03 14:34:12 UTC 
securitylevel_name: Public

Feed-Servlet: Log Injection with attachmentUUID parameter

http://127.0.0.1:8080/jboss-brms/org.drools.guvnor.Guvnor/feed/discussion?assetName=x&package=%0AThis is a very bad thing in your log %0Dx&discussion=x


(Thanks to Marc S. for identifying this issue)
Comment 3 Lukáš Petrovický 2011-11-14 11:34:55 UTC 
This is still an issue.
Comment 5 Geoffrey De Smet 2011-11-22 14:36:14 UTC 
We discussed this and we reject this issue for the following reasons:

- Log injection is not a security threat. Please show a counter example if it is a problem.
- Logging the values of what goes wrong (except for security credentials etc, which are never part of the exception message) is a good thing: it helps to diagnose and fix the problem.

Please reopen if you disagree.
Comment 6 Geoffrey De Smet 2011-11-22 14:37:11 UTC 
*** Bug 724548 has been marked as a duplicate of this bug. ***