[midPoint-git] [Evolveum/midpoint] 3bbd75: Fix guessable work item ID weakness (MID-5291)
mederly
noreply at github.com
Thu Apr 18 10:34:49 CEST 2019
Branch: refs/heads/support-3.9
Home: https://github.com/Evolveum/midpoint
Commit: 3bbd751856a08327a47892c1bac751d337ac2b77
https://github.com/Evolveum/midpoint/commit/3bbd751856a08327a47892c1bac751d337ac2b77
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2019-04-18 (Thu, 18 Apr 2019)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wf/WorkItemsPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/PageWorkItem.java
A gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/dto/ProtectedWorkItemId.java
Log Message:
-----------
Fix guessable work item ID weakness (MID-5291)
In addition to the work item number we expect and check SHA256 hash
of some parts of the work item. The attacker does not know them,
so he is unable to create/guess the respective URL.
More information about the midPoint-svn
mailing list