[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-629) Security: Returning Core.Permission'None' could be information leakage
Michael Pizzo created ODATA-629:
-----------------------------------
Summary: Security: Returning Core.Permission'None' could be information leakage
Key: ODATA-629
URL: https://tools.oasis-open.org/issues/browse/ODATA-629
Project: OASIS Open Data Protocol (OData) TC
Issue Type: Task
Components: Securing Open Data
Affects Versions: V4.0_WD01
Environment: [Proposed]
Reporter: Michael Pizzo
Fix For: V4.0_WD01
11.2.2 specifies that if properties are not available due to permissions, the Core.Permission’None’ is returned for that property.
For dynamic properties not advertised in metadata, there could be scenarios where even the fact that the property exists would be information leakage. For example, if the client specified the unadvertised property in $select and looked for a Core.Permission'None' annotation rather than a failed request.
--
This message was sent by Atlassian JIRA
(v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]