Task #11154 (closed)
Bug: secure logfilename passing
Reported by: | jamoore | Owned by: | jamoore |
---|---|---|---|
Priority: | blocker | Milestone: | 5.0.0-rc1 |
Component: | Services | Version: | 5.0.0-beta1 |
Keywords: | fs | Cc: | fs@… |
Resources: | n.a. | Referenced By: | n.a. |
References: | n.a. | Remaining Time: | n.a. |
Sprint: | OMERO 5 Beta 2 (1) |
Description
See: https://github.com/openmicroscopy/openmicroscopy/pull/1251/files
When a filename is passed to CallContext it should be checked for write access by the current user. This may should be encapsulated in a CallContextCallback or similar which can be injected into the CallContext object.
Change History (9)
comment:1 Changed 11 years ago by jamoore
- Milestone changed from 5.0.0-beta1 to 5.0.0-beta2
- Sprint FS demo 4.x deleted
- Version set to 4.4.8
comment:2 Changed 11 years ago by jamoore
- Version changed from 4.4.8 to 5.0.0-beta1
comment:3 Changed 11 years ago by jamoore
- Owner set to cblackburn
comment:4 Changed 11 years ago by jamoore
- Sprint set to OMERO 5 Beta 2 (1)
comment:5 Changed 11 years ago by cblackburn
comment:6 Changed 11 years ago by jamoore
- Owner changed from cblackburn to jamoore
comment:7 Changed 11 years ago by bpindelski
Solution proposed by Josh: a token (UUID) is generated in the Spring context is injected into CallContext? and ManagedRepositoryI. It is then passed from ManagedRepositoryI to OMEROMetadataStoreClient (along with the log filename). The CallContext? can then check for the presence of the token and allow or deny the use of omero.logfilename (throw an exception if denied).
comment:8 Changed 11 years ago by bpindelski
- Resolution set to fixed
- Status changed from new to closed
comment:9 Changed 11 years ago by Josh Moore <josh@…>
(In [26fb90ed074bbc84a97c565b47a932bc83eec25f/ome.git] on branch develop) Merge pull request #1866 from bpindelski/11154-logfile
Make log filename setting secure (see #11154).
In reviewing the reasons for this ticket I noticed this minor issue which can by fixed in any PR addressing the ticket.
https://github.com/openmicroscopy/openmicroscopy/pull/1251/files#r7626187