Details
-
Bug
-
Resolution: Done
-
Minor
-
EAP_EWP 5.1.2
-
None
-
all
-
-
Release Notes
-
Low
-
-
Documented as Resolved Issue
-
NEW
Description
auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
See: jbosssx/ src/ main/ java/ org/ jboss/ security/ authorization/ resources/ WebResource.java
Headers filter:
180 if(headerName.contains("authorization") == false)
181 sb.append(httpRequest.getHeader(headerName)).append(",");
No filtering for params:
197 sb.append(paramValues[i]).append("::");
Suggested solution:
197 if (!paramName.equalsIgnoreCase("j_password")) sb.append(paramValues[i]).append("::");
Attachments
Issue Links
- clones
-
SECURITY-650 auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
- Resolved
-
JBPAPP-8369 CLONE - auditing is inconsistent: it filters out "authorization" header but does not filter out the "j_password" form field parameter
- Closed