Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.2.1
    • Fix Version/s: 2.2.2
    • Component/s: Caching
    • Labels:
      None

      Description

      2.2.0 added feature to pass user attributes as headers.
      However, headers are not considered in cache key generation.
      This means two users' responses from a URL that was nuanced by identity information in headers will have the same cache key, and so User B could see the response cached for User A.

      This drew attention to inappropriate cross-user caching issues that have been present through the whole v2 series until v2.2.2.

        Issue Links

          Activity

          Hide
          Andrew Petro added a comment -

          While passing user attributes as headers is one way to fall prey to the problem, the caching introduced in v2.0.0 is in general too naive such that there are other inappropriate cross-user cache hit possibilities. Affects all WPPv2 versions prior to fix.

          Show
          Andrew Petro added a comment - While passing user attributes as headers is one way to fall prey to the problem, the caching introduced in v2.0.0 is in general too naive such that there are other inappropriate cross-user cache hit possibilities. Affects all WPPv2 versions prior to fix.
          Hide
          Andrew Petro added a comment - - edited
          Show
          Andrew Petro added a comment - - edited Drafted materials supporting public disclosure . Subsequently, posted to uportal-dev and to uportal-user .
          Hide
          Andrew Petro added a comment - - edited
          Show
          Andrew Petro added a comment - - edited Proposed post on apereo.github.io .
          Hide
          Andrew Petro added a comment -

          Re-opening to edit to remove Security Issue flag to allow public visibility of issue, now that disclosed.

          Show
          Andrew Petro added a comment - Re-opening to edit to remove Security Issue flag to allow public visibility of issue, now that disclosed.
          Hide
          Andrew Petro added a comment - - edited

          Requested CVE-ID on 2016-11-16 via oss-security@.
          Followed up on 2016-11-28 via http://iwantacve.org/ after an email to cve-assign@mitre.org got a do-not-email-this-address auto-reply.
          Tickled oss-security@ thread on 2016-12-06 after no apparent response from having submitted the iwantacve.org form.

          Show
          Andrew Petro added a comment - - edited Requested CVE-ID on 2016-11-16 via oss-security@ . Followed up on 2016-11-28 via http://iwantacve.org/ after an email to cve-assign@mitre.org got a do-not-email-this-address auto-reply. Tickled oss-security@ thread on 2016-12-06 after no apparent response from having submitted the iwantacve.org form.

            People

            • Assignee:
              Andrew Petro
              Reporter:
              Andrew Petro
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: