JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Andre Pietsch
Hi!

I found this in Line 19 of JasperController.groovy in the JasperReports-Plugin:
                        from = shell.evaluate(params._from)

Isn't this a critical security issue or are "_" prefixed parameters something special?

Regards,
Andre
Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Andre Pietsch
Am I the only one considering this a security design flaw?

Regards,
Andre
scai_andre wrote
Hi!

I found this in Line 19 of JasperController.groovy in the JasperReports-Plugin:
                        from = shell.evaluate(params._from)

Isn't this a critical security issue or are "_" prefixed parameters something special?

Regards,
Andre
Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Peter Ledbrook
2008/6/26 scai_andre <[hidden email]>:
>
> Am I the only one considering this a security design flaw?
>
> Regards,
> Andre

No. Have you raised an issue in JIRA for this?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Andre Pietsch
I looked into JIRA but there is no component for the JasperReports-Plugin.

Regards,
Andre
Peter Ledbrook-2 wrote
2008/6/26 scai_andre <andre.pietsch@scai.de>:
>
> Am I the only one considering this a security design flaw?
>
> Regards,
> Andre

No. Have you raised an issue in JIRA for this?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Peter Ledbrook
2008/6/26 scai_andre <[hidden email]>:
>
> I looked into JIRA but there is no component for the JasperReports-Plugin.

Ah, that doesn't help. OK, try now. And if Marcos Fábio Pereira is in
the house and has a JIRA ID: can you let me know what it is and I'll
set you up as the component lead?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Andre Pietsch
Hi!

Sorry, I just saw this mail.

JIRA Bug added now.

http://jira.codehaus.org/browse/GRAILSPLUGINS-439

It seems as if the programmer is gone or not tracking this list, doesn't it?

Regards,
Andre
Peter Ledbrook-2 wrote
2008/6/26 scai_andre <andre.pietsch@scai.de>:
>
> I looked into JIRA but there is no component for the JasperReports-Plugin.

Ah, that doesn't help. OK, try now. And if Marcos Fábio Pereira is in
the house and has a JIRA ID: can you let me know what it is and I'll
set you up as the component lead?

Cheers,

Peter

--
Software Engineer
G2One, Inc.
http://www.g2one.com/

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

achim.breunig
On Wednesday I submitted a patch with a proposal to fix  issue  http://jira.codehaus.org/browse/GRAILSPLUGINS-439.
I did not receive any comments yet. What do you think about that proposal?

Cheers,
Achim


----------  Reply to Message  ----------

Subject: Re: [grails-user] JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy
Date: Tuesday 08 July 2008
From: scai_andre <[hidden email]>
To: [hidden email]

>
> Hi!
>
> Sorry, I just saw this mail.
>
> JIRA Bug added now.
>
> http://jira.codehaus.org/browse/GRAILSPLUGINS-439
>
> It seems as if the programmer is gone or not tracking this list, doesn't it?
>
> Regards,
> Andre
>
> Peter Ledbrook-2 wrote:
> >
> > 2008/6/26 scai_andre <[hidden email]>:
> >>
> >> I looked into JIRA but there is no component for the
> >> JasperReports-Plugin.
> >
> > Ah, that doesn't help. OK, try now. And if Marcos Fábio Pereira is in
> > the house and has a JIRA ID: can you let me know what it is and I'll
> > set you up as the component lead?
> >
> > Cheers,
> >
> > Peter
> >
> > --
> > Software Engineer
> > G2One, Inc.
> > http://www.g2one.com/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this list, please visit:
> >
> >     http://xircles.codehaus.org/manage_email
> >
> >
> >
> >
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email


Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Andre Pietsch
Hi Achim,

well, this is using som espring mechanism, I do not understand. But if I my imagination of what it could mean does not betray me, I think this could do the trick.

But it definitely would need a detailed documentation on the plugins' page.

Thanks for the patch!

Now we would need somebody feeling "in charge"...

Regards,
Andre
achim.breunig wrote
On Wednesday I submitted a patch with a proposal to fix  issue  http://jira.codehaus.org/browse/GRAILSPLUGINS-439.
I did not receive any comments yet. What do you think about that proposal?

Cheers,
Achim


----------  Reply to Message  ----------

Subject: Re: [grails-user] JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy
Date: Tuesday 08 July 2008
From: scai_andre <andre.pietsch@scai.de>
To: user@grails.codehaus.org

>
> Hi!
>
> Sorry, I just saw this mail.
>
> JIRA Bug added now.
>
> http://jira.codehaus.org/browse/GRAILSPLUGINS-439
>
> It seems as if the programmer is gone or not tracking this list, doesn't it?
>
> Regards,
> Andre
>
> Peter Ledbrook-2 wrote:
> >
> > 2008/6/26 scai_andre <andre.pietsch@scai.de>:
> >>
> >> I looked into JIRA but there is no component for the
> >> JasperReports-Plugin.
> >
> > Ah, that doesn't help. OK, try now. And if Marcos Fábio Pereira is in
> > the house and has a JIRA ID: can you let me know what it is and I'll
> > set you up as the component lead?
> >
> > Cheers,
> >
> > Peter
> >
> > --
> > Software Engineer
> > G2One, Inc.
> > http://www.g2one.com/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this list, please visit:
> >
> >     http://xircles.codehaus.org/manage_email
> >
> >
> >
> >
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

Andre Pietsch
just to make that clear: I am not able to invoke that patch. Is there anybody feeling responsible?
scai_andre wrote
Hi Achim,

well, this is using som espring mechanism, I do not understand. But if I my imagination of what it could mean does not betray me, I think this could do the trick.

But it definitely would need a detailed documentation on the plugins' page.

Thanks for the patch!

Now we would need somebody feeling "in charge"...

Regards,
Andre
achim.breunig wrote
On Wednesday I submitted a patch with a proposal to fix  issue  http://jira.codehaus.org/browse/GRAILSPLUGINS-439.
I did not receive any comments yet. What do you think about that proposal?

Cheers,
Achim


----------  Reply to Message  ----------

Subject: Re: [grails-user] JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy
Date: Tuesday 08 July 2008
From: scai_andre <andre.pietsch@scai.de>
To: user@grails.codehaus.org

>
> Hi!
>
> Sorry, I just saw this mail.
>
> JIRA Bug added now.
>
> http://jira.codehaus.org/browse/GRAILSPLUGINS-439
>
> It seems as if the programmer is gone or not tracking this list, doesn't it?
>
> Regards,
> Andre
>
> Peter Ledbrook-2 wrote:
> >
> > 2008/6/26 scai_andre <andre.pietsch@scai.de>:
> >>
> >> I looked into JIRA but there is no component for the
> >> JasperReports-Plugin.
> >
> > Ah, that doesn't help. OK, try now. And if Marcos Fábio Pereira is in
> > the house and has a JIRA ID: can you let me know what it is and I'll
> > set you up as the component lead?
> >
> > Cheers,
> >
> > Peter
> >
> > --
> > Software Engineer
> > G2One, Inc.
> > http://www.g2one.com/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe from this list, please visit:
> >
> >     http://xircles.codehaus.org/manage_email
> >
> >
> >
> >
>

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Reply | Threaded
Open this post in threaded view
|

Re: JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy

achim.breunig
Hi,

Marcos Fabio informed me that he has released the 0.8-release of the jasper-plugin.
In this release he has replaced the from-attribute by an action and controller attribute (see http://www.grails.org/Jasper+Plugin).
In my opinion this is a much better solution for this security issue than mine.
I think one can close this bug and forget my patch :-)

Kind Regards

Achim


----------  Reply to Message  ----------

Subject: Re: [grails-user] JasperReports-Plugin: Possible Security issue: shell.evaluate() in JasperController.groovy
Date: Wednesday 16 July 2008
From: scai_andre <[hidden email]>
To: [hidden email]

>
> just to make that clear: I am not able to invoke that patch. Is there anybody
> feeling responsible?
>
> scai_andre wrote:
> >
> > Hi Achim,
> >
> > well, this is using som espring mechanism, I do not understand. But if I
> > my imagination of what it could mean does not betray me, I think this
> > could do the trick.
> >
> > But it definitely would need a detailed documentation on the plugins'
> > page.
> >
> > Thanks for the patch!
> >
> > Now we would need somebody feeling "in charge"...
> >
> > Regards,
> > Andre
> >
> > achim.breunig wrote:
> >>
> >> On Wednesday I submitted a patch with a proposal to fix  issue
> >> http://jira.codehaus.org/browse/GRAILSPLUGINS-439.
> >> I did not receive any comments yet. What do you think about that
> >> proposal?
> >>
> >> Cheers,
> >> Achim
> >>
> >>
> >> ----------  Reply to Message  ----------
> >>
> >> Subject: Re: [grails-user] JasperReports-Plugin: Possible Security issue:
> >> shell.evaluate() in JasperController.groovy
> >> Date: Tuesday 08 July 2008
> >> From: scai_andre <[hidden email]>
> >> To: [hidden email]
> >>
> >>>
> >>> Hi!
> >>>
> >>> Sorry, I just saw this mail.
> >>>
> >>> JIRA Bug added now.
> >>>
> >>> http://jira.codehaus.org/browse/GRAILSPLUGINS-439
> >>>
> >>> It seems as if the programmer is gone or not tracking this list, doesn't
> >>> it?
> >>>
> >>> Regards,
> >>> Andre
> >>>
> >>> Peter Ledbrook-2 wrote:
> >>> >
> >>> > 2008/6/26 scai_andre <[hidden email]>:
> >>> >>
> >>> >> I looked into JIRA but there is no component for the
> >>> >> JasperReports-Plugin.
> >>> >
> >>> > Ah, that doesn't help. OK, try now. And if Marcos Fábio Pereira is in
> >>> > the house and has a JIRA ID: can you let me know what it is and I'll
> >>> > set you up as the component lead?
> >>> >
> >>> > Cheers,
> >>> >
> >>> > Peter
> >>> >
> >>> > --
> >>> > Software Engineer
> >>> > G2One, Inc.
> >>> > http://www.g2one.com/
> >>> >
> >>> > ---------------------------------------------------------------------
> >>> > To unsubscribe from this list, please visit:
> >>> >
> >>> >     http://xircles.codehaus.org/manage_email
> >>> >
> >>> >
> >>> >
> >>> >
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe from this list, please visit:
> >>
> >>     http://xircles.codehaus.org/manage_email
> >>
> >>
> >>
> >>
> >
> >
>


---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email