|
|
| Apache Geronimo > Discussion Forums | User List | Dev List | Wiki | Issue Tracker |
|
View:
New views
4 Messages
—
Rating Filter:
Alert me
|
 |
[jira] Created: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs
by JIRA jira@apache.org
::
Rate this Message:
XSS/XSRF filters are triggering Session object creation for unknown URLs
------------------------------------------------------------------------ Key: GERONIMO-4722 URL: https://issues.apache.org/jira/browse/GERONIMO-4722 Project: Geronimo Issue Type: Bug Security Level: public (Regular issues) Affects Versions: 2.1.4, 2.2 Reporter: Kevan Miller Priority: Minor Fix For: 2.1.5, 2.2 The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace: http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING' at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284) at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312) at org.apache.catalina.connector.Request.getSession(Request.java:2,075) at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79) at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56) at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406) at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:613) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
|
|
[jira] Assigned: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs
by JIRA jira@apache.org
::
Rate this Message:
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joe Bohn reassigned GERONIMO-4722: ---------------------------------- Assignee: Joe Bohn > XSS/XSRF filters are triggering Session object creation for unknown URLs > ------------------------------------------------------------------------ > > Key: GERONIMO-4722 > URL: https://issues.apache.org/jira/browse/GERONIMO-4722 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Affects Versions: 2.1.4, 2.2 > Reporter: Kevan Miller > Assignee: Joe Bohn > Priority: Minor > Fix For: 2.1.5, 2.2 > > > The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace: > http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING' > at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284) > at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312) > at org.apache.catalina.connector.Request.getSession(Request.java:2,075) > at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) > at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79) > at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56) > at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406) > at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:613) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
|
|
[jira] Commented: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs
by JIRA jira@apache.org
::
Rate this Message:
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12725723#action_12725723 ] Joe Bohn commented on GERONIMO-4722: ------------------------------------ It appears that we were too aggressive in the application of the XSSXSRFFilter. There is no strong reason that this should be applied to the welcome application which has a context-root of "/'. Combine that with the filter URL pattern of "/*" registered for the filter on the welcome application and nearly every url is inspected. It seems we can remove this filter from welcome. Refer to this thread for more details: http://www.nabble.com/Session-creation-triggered-by-XSS-XSRF-filter-to24272007s134.html > XSS/XSRF filters are triggering Session object creation for unknown URLs > ------------------------------------------------------------------------ > > Key: GERONIMO-4722 > URL: https://issues.apache.org/jira/browse/GERONIMO-4722 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Affects Versions: 2.1.4, 2.2 > Reporter: Kevan Miller > Assignee: Joe Bohn > Priority: Minor > Fix For: 2.1.5, 2.2 > > > The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace: > http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING' > at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284) > at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312) > at org.apache.catalina.connector.Request.getSession(Request.java:2,075) > at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) > at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79) > at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56) > at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406) > at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:613) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
|
|
[jira] Resolved: (GERONIMO-4722) XSS/XSRF filters are triggering Session object creation for unknown URLs
by JIRA jira@apache.org
::
Rate this Message:
[ https://issues.apache.org/jira/browse/GERONIMO-4722?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Joe Bohn resolved GERONIMO-4722. -------------------------------- Resolution: Fixed I've committed changes in branches/2.1 (rev. 789881) and trunk (rev. 789885). This seems to resolve the problem you observed with session creation. Please validate before closing. > XSS/XSRF filters are triggering Session object creation for unknown URLs > ------------------------------------------------------------------------ > > Key: GERONIMO-4722 > URL: https://issues.apache.org/jira/browse/GERONIMO-4722 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Affects Versions: 2.1.4, 2.2 > Reporter: Kevan Miller > Assignee: Joe Bohn > Priority: Minor > Fix For: 2.1.5, 2.2 > > > The XSS/XSRF filters are causing session objects to be created for unknown urls. For instance, a request for localhost:8080/nonexistenturl creates a session, as indicated in following stack trace: > http-0.0.0.0-8080-1@10 daemon, priority=5, in group 'main', status: 'RUNNING' > at org.apache.catalina.session.StandardManager.createSession(StandardManager.java:284) > at org.apache.catalina.connector.Request.doGetSession(Request.java:2,312) > at org.apache.catalina.connector.Request.getSession(Request.java:2,075) > at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:833) > at org.apache.geronimo.console.filter.XSRFHandler.isInvalidSession(XSRFHandler.java:79) > at org.apache.geronimo.console.filter.XSSXSRFFilter.doFilter(XSSXSRFFilter.java:109) > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at org.apache.geronimo.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56) > at org.apache.geronimo.tomcat.GeronimoStandardContext$SystemMethodValve.invoke(GeronimoStandardContext.java:406) > at org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:47) > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128) > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:568) > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:286) > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:845) > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:613) -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online. |
| Free embeddable forum powered by Nabble | Forum Help |
