Change in ovirt-engine[master]: core: Protect GetAttachmentServlet from response splitting a...

ofrenkel at redhat.com ofrenkel at redhat.com
Wed Mar 6 11:38:43 UTC 2013


Omer Frenkel has submitted this change and it was merged.

Change subject: core: Protect GetAttachmentServlet from response splitting attack
......................................................................


core: Protect GetAttachmentServlet from response splitting attack

Current version of GetAttachmentServlet inserts given filename directly to http
response header, which allows code splitting.
This patch fixes it by url-encoding the given filename.

Change-Id: I90dd7d95879342d70cfbb43c49d128457aebc35e
Signed-off-by: Frantisek Kobzik <fkobzik at redhat.com>
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=843410
---
M backend/manager/modules/root/src/main/java/org/ovirt/engine/core/GetAttachmentServlet.java
1 file changed, 3 insertions(+), 2 deletions(-)

Approvals:
  Omer Frenkel: Verified; Looks good to me, approved


--
To view, visit http://gerrit.ovirt.org/12671
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I90dd7d95879342d70cfbb43c49d128457aebc35e
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Frank Kobzik <fkobzik at redhat.com>
Gerrit-Reviewer: Arik Hadas <ahadas at redhat.com>
Gerrit-Reviewer: Frank Kobzik <fkobzik at redhat.com>
Gerrit-Reviewer: Omer Frenkel <ofrenkel at redhat.com>
Gerrit-Reviewer: Tomas Jelinek <tjelinek at redhat.com>
Gerrit-Reviewer: Vojtech Szocs <vszocs at redhat.com>



More information about the Engine-commits mailing list