Opened 15 years ago
Closed 13 years ago
#1351 closed defect (fixed)
CreateSession can generate invalid session ids
| Reported by: | jng | Owned by: | jng |
|---|---|---|---|
| Priority: | low | Milestone: | 2.4 |
| Component: | Map Agent | Version: | 2.2.0 |
| Severity: | trivial | Keywords: | |
| Cc: | External ID: |
Description (last modified by )
The recent security patches for the AJAX viewer imposed the following pattern restriction on MapGuide session ids:
00000000-0000-0000-0000-000000000000_aa_00000000000000000000
The "aa" component is the locale when the CREATESESSION mapagent call is made. However if a custom LOCALE parameter is passed which is not 2 characters (eg. en-US), then that is actually incorporated into the generated session id itself, making it unusable when it is passed to the AJAX viewer.
Attached is a modified mapagent form for the CREATESESSION operation.
Steps to reproduce:
- Load the modified form
- Specify a LOCALE greater than 2 characters (eg. en-US)
- Invoke the CREATESESSION operation
- Open any WebLayout using this generated session id
- You will get a http authentication prompt because the generated id fails the pattern check.
The LOCALE parameter should either be rejected or validated to ensure it is 2 characters wide.
Attachments (1)
Change History (7)
by , 15 years ago
| Attachment: | createsessionform.html added |
|---|
comment:1 by , 15 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 15 years ago
| Owner: | set to |
|---|
comment:4 by , 13 years ago
| Owner: | changed from to |
|---|
The problem is in MgUserInformation::CreateMgSessionId()
It does not check the length of the locale property.
comment:5 by , 13 years ago
| Milestone: | → 2.4 |
|---|
comment:6 by , 13 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
Modified CREATESESSION form