Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed and reviewed
    • Affects versions: 5.2
    • Fix versions: None
    • Components: RESTful Interfaces
    • Labels:
      None
    • Severity:
      Data Loss/Corruption
    • Steps to reproduce:
      Hide
      The POST /ingest/ingest REST endpoints accept form data encoded as
      `application/x-www-form-urlencoded` or as `multipart/form-data`.
      Regardless of the encoding however, a url-decoding of all values is
      performed. This may lead to corruption of data sent in this request.

      A simple example for a problem is attaching an episode access control
      list which is expected to have the flavor `security/xacml+episode`.
      Ingesting this in a `multipart/form-data` request will force the
      url-decoding of the non-encoded data and will convert this flavor to
      `security/xacml episode`.

      Opencast will now obviously not match this modified flavor anymore when
      it is looking for ACLs and is furthermore not at all happy about the
      space contained in the flavor causing further problems.

      This patch fixes the decoding problems.
      Show
      The POST /ingest/ingest REST endpoints accept form data encoded as `application/x-www-form-urlencoded` or as `multipart/form-data`. Regardless of the encoding however, a url-decoding of all values is performed. This may lead to corruption of data sent in this request. A simple example for a problem is attaching an episode access control list which is expected to have the flavor `security/xacml+episode`. Ingesting this in a `multipart/form-data` request will force the url-decoding of the non-encoded data and will convert this flavor to `security/xacml episode`. Opencast will now obviously not match this modified flavor anymore when it is looking for ACLs and is furthermore not at all happy about the space contained in the flavor causing further problems. This patch fixes the decoding problems.

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              lkiesow Lars Kiesow
              Reporter:
              lkiesow Lars Kiesow
            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases