[mapguide-trac] #1351: CreateSession can generate invalid session ids

MapGuide Open Source trac_mapguide at osgeo.org
Fri May 7 07:56:43 EDT 2010 

#1351: CreateSession can generate invalid session ids
-----------------------+----------------------------------------------------
 Reporter:  jng        |         Owner:       
     Type:  defect     |        Status:  new  
 Priority:  low        |     Milestone:       
Component:  Map Agent  |       Version:  2.2.0
 Severity:  trivial    |    Resolution:       
 Keywords:             |   External_id:       
-----------------------+----------------------------------------------------
Old description:

> The recent security patches for the AJAX viewer imposed the following
> pattern restriction on MapGuide session ids:
>
> 00000000-0000-0000-0000-000000000000_aa_00000000000000000000
>
> The "aa" component is the locale when the CREATESESSION mapagent call is
> made. However if a custom LOCALE parameter is passed which is not 2
> characters (eg. en-US), then that is actually incorporated into the
> generated session id itself, making it unusable when it is passed to the
> AJAX viewer.
>
> Attached is a modified mapagent form for the CREATESESSION operation.
>
> Steps to reproduce:
>
> 1. Load the modified form
> 2. Specify a LOCALE greater than 2 characters (eg. en-US)
> 3. Invoke the CREATESESSION operation
> 4. Open any WebLayout using this generated session id
> 5. You will get a http authentication prompt because the generated id
> fails the pattern check.
>
> The LOCALE parameter should either be rejected or validated to ensure it
> is 2 characters wide.

New description:

 The recent security patches for the AJAX viewer imposed the following
 pattern restriction on MapGuide session ids:

 00000000-0000-0000-0000-000000000000_aa_00000000000000000000

 The "aa" component is the locale when the CREATESESSION mapagent call is
 made. However if a custom LOCALE parameter is passed which is not 2
 characters (eg. en-US), then that is actually incorporated into the
 generated session id itself, making it unusable when it is passed to the
 AJAX viewer.

 Attached is a modified mapagent form for the CREATESESSION operation.

 Steps to reproduce:

  1. Load the modified form
  2. Specify a LOCALE greater than 2 characters (eg. en-US)
  3. Invoke the CREATESESSION operation
  4. Open any WebLayout using this generated session id
  5. You will get a http authentication prompt because the generated id
 fails the pattern check.

 The LOCALE parameter should either be rejected or validated to ensure it
 is 2 characters wide.

-- 
Ticket URL: <http://trac.osgeo.org/mapguide/ticket/1351#comment:1>
MapGuide Open Source <http://mapguide.osgeo.org/>
MapGuide Open Source Internals

More information about the mapguide-trac mailing list