[#UP-2088] ProxyServlet fails to return when remote content-type check fails

uPortal

ProxyServlet fails to return when remote content-type check fails

Created: 17/Jun/08 11:10 AM Updated: 15/Sep/08 06:47 PM

Component/s:

None

Affects Version/s:

2.6.1, 2.6.0 GA, 3.0.0

Fix Version/s:

2.6.2, 3.0.1, 3.1.0-M1

Original Estimate:	Unknown	Remaining Estimate:	Unknown	Time Spent:	Unknown
File Attachments:	1. HttpProxyServlet.patch (3 kb) 2. up_26_branch_patch.txt (3 kb)

Description

« Hide

The third check for contentType of image has a serious bug, the current code is as follows:

if (!contentType.startsWith("image")){
    response.setStatus(404);
    log.info("httpProxyServlet returning response 404 after receiving element with contentType ="+contentType);
}

However, it should be:

if (!contentType.startsWith("image")){
    response.setStatus(404);
    log.info("httpProxyServlet returning response 404 after receiving element with contentType ="+contentType);
    return;
}

Without the return any content is still retrieved and displayed.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Eric Dalquist [17/Jun/08 11:20 AM]

The patch for 3.0.0 fixes the vulnerability in the servlet and disables the servlet in the default configuration as it is not used unless the ProxyWriter is enabled.

[ Permlink | « Hide ]

Eric Dalquist [17/Jun/08 12:30 PM]

This has been applied to the trunk and the 3.0-patches branch

[ Permlink | « Hide ]

Andrew Petro [17/Jun/08 01:11 PM]

patch for uPortal 2.6 branch

[ Permlink | « Hide ]

Eric Dalquist [15/Sep/08 06:47 PM]

Closing issues that have been released