[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [OASIS Issue Tracker] (ODATA-629) Security: Returning Core.Permission'None' could be information leakage
Michael Pizzo created ODATA-629: ----------------------------------- Summary: Security: Returning Core.Permission'None' could be information leakage Key: ODATA-629 URL: https://tools.oasis-open.org/issues/browse/ODATA-629 Project: OASIS Open Data Protocol (OData) TC Issue Type: Task Components: Securing Open Data Affects Versions: V4.0_WD01 Environment: [Proposed] Reporter: Michael Pizzo Fix For: V4.0_WD01 11.2.2 specifies that if properties are not available due to permissions, the Core.Permission’None’ is returned for that property. For dynamic properties not advertised in metadata, there could be scenarios where even the fact that the property exists would be information leakage. For example, if the client specified the unadvertised property in $select and looked for a Core.Permission'None' annotation rather than a failed request. -- This message was sent by Atlassian JIRA (v6.1.1#6155)
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]