[midPoint-git] [Evolveum/midpoint] fd9a7a: Fix guessable work item ID weakness (MID-5291)
mederly
noreply at github.com
Thu Apr 18 10:36:43 CEST 2019
Branch: refs/heads/support-3.7
Home: https://github.com/Evolveum/midpoint
Commit: fd9a7a5732feeb6bbb55132398947312b491d00b
https://github.com/Evolveum/midpoint/commit/fd9a7a5732feeb6bbb55132398947312b491d00b
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2019-04-18 (Thu, 18 Apr 2019)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/component/wf/WorkItemsPanel.java
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/PageWorkItem.java
A gui/admin-gui/src/main/java/com/evolveum/midpoint/web/page/admin/workflow/dto/ProtectedWorkItemId.java
Log Message:
-----------
Fix guessable work item ID weakness (MID-5291)
In addition to the work item number we expect and check SHA256 hash
of some parts of the work item. The attacker does not know them,
so he is unable to create/guess the respective URL.
Commit: 131a1816f2cc0c2f6a8e89117945eec3a2b782d1
https://github.com/Evolveum/midpoint/commit/131a1816f2cc0c2f6a8e89117945eec3a2b782d1
Author: Pavol Mederly <mederly at evolveum.com>
Date: 2019-04-18 (Thu, 18 Apr 2019)
Changed paths:
M gui/admin-gui/src/main/java/com/evolveum/midpoint/web/boot/WebSecurityConfig.java
M infra/common/src/main/java/com/evolveum/midpoint/common/validator/Validator.java
M infra/prism/src/main/java/com/evolveum/midpoint/prism/lex/dom/DomLexicalProcessor.java
M infra/prism/src/main/java/com/evolveum/midpoint/prism/schema/SchemaToDomProcessor.java
M infra/prism/src/test/java/com/evolveum/midpoint/prism/TestPrismParsingXml.java
A infra/prism/src/test/resources/common/xml/user-jack-xxe.xml
M infra/util/src/main/java/com/evolveum/midpoint/util/DOMUtil.java
M model/model-client/src/main/java/com/evolveum/midpoint/model/client/ModelClientUtil.java
Log Message:
-----------
Merge remote-tracking branch 'origin/support-3.7' into support-3.7
Compare: https://github.com/Evolveum/midpoint/compare/381b978611e9...131a1816f2cc
More information about the midPoint-svn
mailing list