Bug 794400 (JBEPP-1444)
| Summary: | able to save wsrp producer property with non-valid name | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Portal Platform 5 | Reporter: | Viliam Rockai <vrockai> |
| Component: | unspecified | Assignee: | claprun <claprun> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 5.2.0.GA | CC: | chris.laprun, epp-bugs, jmorgan, theute |
| Target Milestone: | --- | ||
| Target Release: | 5.2.1.GA | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| URL: | http://jira.jboss.org/jira/browse/JBEPP-1444 | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
Values input in the registration properties field in
the Producer configuration part of the WSRP administration portlet were not properly validated. This resulted in errors further down the stack (in particular at the persistence level), an inconsistent user interface, and possible XSS vulnerabilities. Input is now properly validated and errors should now be caught much earlier, rherefore avoiding invalid values to propagate to lower levels of the WSRP service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-01-05 11:09:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I believe this is an instance of the session eviction issue. Basically, if you log out and log back in with the same user, no data is evicted. I still agree that this should be handled better. Link: Added: This issue depends GTNWSRP-275 Release Notes Docs Status: Added: Not Yet Documented Release Notes Text: Added: Values input in the registration properties field in the Producer configuration part of the WSRP administration portlet were not properly validated resulting in errors further down the stack (in particular at the persistence level), inconsistent user interface and possible XSS. Input is now properly validated and errors should now be caught much earlier, thus avoiding invalid values to propagate to lower levels of the WSRP service. Fixed with upgrade to a more recent WSRP version.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
Values input in the registration properties field in
the Producer configuration part of the WSRP administration portlet were not properly validated. This resulted in errors further down the stack (in particular at the persistence level), an inconsistent user interface, and possible XSS vulnerabilities. Input is now properly validated and errors should now be caught much earlier, rherefore avoiding invalid values to propagate to lower levels of the WSRP service.
|
project_key: JBEPP go to WSRP producer properties page add new property with name <script>alert('a');</script>, with label whatever and with hint whatever click save - error message about non-valid name is shown log-out and log-in, go to WSRP producer properties again the property was saved, despite non-valid name