[midPoint-git] [Evolveum/midpoint] ecd459: Fix guessable work item ID weakness (MID-5291)
mederly
noreply at github.com
Thu Apr 18 10:35:23 CEST 2019
Branch: refs/heads/support-3.8
Home: https://github.com/Evolveum/midpoint
Commit: ecd45927e741470429275ac2fd65543858e2a969
https://github.com/Evolveum/midpoint/commit/ecd45927e741470429275ac2fd65543858e2a969
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2019-04-18 (Thu, 18 Apr 2019)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wf/WorkItemsPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/PageWorkItem.java
A gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/dto/ProtectedWorkItemId.java
Log Message:
-----------
Fix guessable work item ID weakness (MID-5291)
In addition to the work item number we expect and check SHA256 hash
of some parts of the work item. The attacker does not know them,
so he is unable to create/guess the respective URL.
Commit: b9cec8eb17e5da6a0a969e415e938cb5865f61a4
https://github.com/Evolveum/midpoint/commit/b9cec8eb17e5da6a0a969e415e938cb5865f61a4
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2019-04-18 (Thu, 18 Apr 2019)
Changed paths:
M build-system/pom.xml
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/WebSecurityConfig.java
M infra/common/src/main/java/com/evolveum/midpoint/common/validator/Validator.java
M infra/prism/src/main/java/com/evolveum/midpoint/prism/lex/dom/DomLexicalProcessor.java
M infra/prism/src/main/java/com/evolveum/midpoint/prism/schema/SchemaToDomProcessor.java
M infra/prism/src/test/java/com/evolveum/midpoint/prism/TestPrismParsingXml.java
A infra/prism/src/test/resources/common/xml/user-jack-xxe.xml
M infra/util/src/main/java/com/evolveum/midpoint/util/DOMUtil.java
M model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java
M provisioning/ucf-impl-connid/src/test/resources/connector-ldap.xml
Log Message:
-----------
Merge remote-tracking branch 'origin/support-3.8' into support-3.8
Compare: https://github.com/Evolveum/midpoint/compare/09b093066b70...b9cec8eb17e5
More information about the midPoint-svn
mailing list