<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:21:35 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-2564] investigate HTTP Response Header injection</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-2564</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;b&gt;Problem&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;The application reflects the value of any HTTP headers into the response headers. This may allow an attacker to insert arbitrary code into the response, including additional HTTP head- ers and potentially body content. An attacker can leverage HTTP response header injection to perform cross-site scripting, cross-user defacement, cache poisoning attacks and more. However, due to cross-origin setting of HTTP headers being blocked by the CORS policy, the severity of this finding is set to Medium.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Steps to verify&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;Perform a GET request with with a valid JWT and a set-cookie header and observe the set-cookie header in HTTP response, e.g:&lt;/p&gt;

&lt;p&gt;GET /users?query=%28id%3D%3D%22f5f46a28-d34f-4c8d-9e7f-d88206141d12%22%20or%20id% 3D%3D%22a058f28f-80ac-4994-add6-e4d02fc238fe%22%20or%20id%3D%3D%22e19ae972-63 41-4451-9ca1-1f4aabfc986e%22%29&lt;br/&gt;
query urldecoded: &lt;tt&gt;(id==&quot;f5f46a28-d34f-4c8d-9e7f-d88206141d12&quot; or id==&quot;a058f28f-80ac-4994-add6-e4d02fc238fe&quot; or id==&quot;e19ae972-6341-4451-9ca1-1f4aabfc986e&quot;)&lt;/tt&gt;&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Acceptance criteria&lt;/b&gt;&lt;br/&gt;
This problem has been addressed in 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;RMB-478&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/RMB-478&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;RMB echoes all headers&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            RMB-478
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
 (commit &lt;a href=&quot;https://github.com/folio-org/raml-module-builder/commit/3ae1e2c97ac5a4288b02d3ab19454b70f8b42a13&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;3ae1e2c&lt;/a&gt;, v27.1.2) and OKAPI ()  but the problem has been reported again during the NCC audit.&lt;/p&gt;

&lt;p&gt;Ensure that:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;that header reflection via GET no longer works&lt;/li&gt;
	&lt;li&gt;verify that all FOLIO backend modules have been upgraded to RMB with the problem solved (platform-complete) and create tickets in Jira for the modules with issues&lt;/li&gt;
	&lt;li&gt;verify that non-RMB FOLIO backend modules in platform-complete do not allow for header injection &amp;#8211; test w X-Okapi header (token, tenant) and a standard header like Set-Cookie&lt;/li&gt;
	&lt;li&gt;review the fix implemented for RMB and Okapi, propose improvements (if any)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;List of Q1 modules: &lt;a href=&quot;https://docs.google.com/spreadsheets/d/1NvvCq1wTfDeCnd7zHDIzLI7RBfuSr_Ty0tbzYzgEaI8/edit#gid=0&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://docs.google.com/spreadsheets/d/1NvvCq1wTfDeCnd7zHDIzLI7RBfuSr_Ty0tbzYzgEaI8/edit#gid=0&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="81662">FOLIO-2564</key>
            <summary>investigate HTTP Response Header injection</summary>
                <type id="10003" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10318?size=medium">Task</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="5cf6c546b87c300f36eb7b9a">Craig McNally</assignee>
                                                                <reporter accountid="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d">Jakub Skoczen</reporter>
                                    <labels>
                            <label>platform-backlog</label>
                            <label>security</label>
                    </labels>
                <created>Thu, 16 Apr 2020 11:39:50 +0000</created>
                <updated>Tue, 13 Jul 2021 08:53:22 +0000</updated>
                            <resolved>Tue, 5 May 2020 13:07:58 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                                <comments>
                                                            <comment id="198251" author="5cf6c546b87c300f36eb7b9a" created="Wed, 22 Apr 2020 14:27:49 +0000"  >&lt;p&gt;I was able to reproduce this against an edelweiss deployment for a few modules:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;mod-circulation-storage&lt;/li&gt;
	&lt;li&gt;mod-fees-fines&lt;/li&gt;
	&lt;li&gt;mod-notify&lt;/li&gt;
	&lt;li&gt;mod-login-saml&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;Example:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
..elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:15:00 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; Server: nginx/1.10.3
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//&amp;lt;masked&amp;gt;:8051/mod-authtoken/loan-storage/loans.. : 202 8572us
&lt;/span&gt;&amp;lt; x-forwarded-&lt;span class=&quot;code-keyword&quot;&gt;for&lt;/span&gt;: &amp;lt;masked&amp;gt;
&amp;lt; x-forwarded-proto: http
&amp;lt; x-forwarded-port: 8051
&amp;lt; x-amzn-trace-id: Self=1-5ea05164-a3e7a75c3d2325a8ad153628;Root=1-5ea05164-45990650726085cc22435244
&amp;lt; x-nginx-proxy: &lt;span class=&quot;code-keyword&quot;&gt;true&lt;/span&gt;
&amp;lt; user-agent: curl/7.47.0
&amp;lt; accept: */*
&amp;lt; set-cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;lt; x-okapi-request-id: 793543/loan-storage
&amp;lt; x-okapi-tenant: fs00000002
&amp;lt; x-okapi-url: http:&lt;span class=&quot;code-comment&quot;&gt;//&amp;lt;masked&amp;gt;:9130
&lt;/span&gt;&amp;lt; x-okapi-request-ip: &amp;lt;masked&amp;gt;
&amp;lt; x-okapi-request-timestamp: 1587564900099
&amp;lt; x-okapi-request-method: GET
&amp;lt; x-okapi-permissions: [&lt;span class=&quot;code-quote&quot;&gt;&quot;circulation-storage.loans.collection.get&quot;&lt;/span&gt;]
&amp;lt; x-okapi-user-id: f9e1f652-efed-49c9-a3e4-34c3374047bc
&amp;lt; x-okapi-match-path-pattern: /loan-storage/loans
&amp;lt; X-Okapi-Trace: GET mod-circulation-storage-10.0.1 http:&lt;span class=&quot;code-comment&quot;&gt;//&amp;lt;masked&amp;gt;:8051/mod-circulation-storage/loan-storage/loans.. : 200 7253us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;loans&quot;&lt;/span&gt; : [ ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 192
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;I did not try every module, but focused on those that had an older version of RMB (or weren&apos;t using RMB).  The handful of modules I tested that were running RMB 29.X did not echo the request headers.&lt;/p&gt;

&lt;p&gt;When retesting these modules against fameflower, I was able to verify that the problem has been addressed in most cases.  However, there&apos;s at least one case where the problem still exists.&lt;/p&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-circulation-storage&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:30:10 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/loan-storage/loans.. : 202 6586us
&lt;/span&gt;&amp;lt; X-Okapi-Trace: GET mod-circulation-storage-11.0.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9176/loan-storage/loans.. : 200 2496us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;loans&quot;&lt;/span&gt; : [ ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 5
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-fees-fines&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:31:23 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/accounts.. : 202 32237us
&lt;/span&gt;&amp;lt; X-Okapi-Trace: GET mod-feesfines-15.7.2 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9137/accounts.. : 200 19008us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;accounts&quot;&lt;/span&gt; : [ ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 0,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;resultInfo&quot;&lt;/span&gt; : {
    &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 0,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;facets&quot;&lt;/span&gt; : [ ],
    &lt;span class=&quot;code-quote&quot;&gt;&quot;diagnostics&quot;&lt;/span&gt; : [ ]
  }
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/error.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-notify:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:32:37 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/notify.. : 202 31585us
&lt;/span&gt;&amp;lt; x-forwarded-&lt;span class=&quot;code-keyword&quot;&gt;for&lt;/span&gt;: 24.63.116.35
&amp;lt; x-forwarded-proto: https
&amp;lt; x-forwarded-port: 443
&amp;lt; host: folio-fameflower-okapi.dev.folio.org
&amp;lt; x-amzn-trace-id: Root=1-5ea05585-9371801b241a16cb03fd3c7a
&amp;lt; user-agent: curl/7.47.0
&amp;lt; accept: */*
&amp;lt; set-cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;lt; x-okapi-tenant: diku
&amp;lt; x-okapi-foo: bar
&amp;lt; x-okapi-request-id: 606342/notify
&amp;lt; x-okapi-url: http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9130
&lt;/span&gt;&amp;lt; x-okapi-request-ip: 10.36.10.74
&amp;lt; x-okapi-request-timestamp: 1587565957613
&amp;lt; x-okapi-request-method: GET
&amp;lt; x-okapi-permissions: [&lt;span class=&quot;code-quote&quot;&gt;&quot;notify.collection.get&quot;&lt;/span&gt;]
&amp;lt; x-okapi-user-id: ff8a07c0-9985-50c4-82be-d71aca738738
&amp;lt; x-okapi-match-path-pattern: /notify
&amp;lt; X-Okapi-Trace: GET mod-notify-2.5.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9162/notify.. : 200 206911us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;notifications&quot;&lt;/span&gt; : [ ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 0
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-licenses&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:35:55 GMT
&amp;lt; Content-Type: application/json;charset=UTF-8
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/licenses/licenses.. : 202 6735us
&lt;/span&gt;&amp;lt; X-Application-Context: application:production
&amp;lt; X-Okapi-Trace: GET mod-licenses-2.1.1 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9164/licenses/licenses.. : 200 96036us
&lt;/span&gt;&amp;lt; 
{ [13986 bytes data]
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-agreements&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:38:18 GMT
&amp;lt; Content-Type: application/json;charset=UTF-8
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/erm/sas.. : 202 31902us
&lt;/span&gt;&amp;lt; X-Application-Context: application:production
&amp;lt; X-Okapi-Trace: GET mod-agreements-2.2.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9178/erm/sas.. : 200 28761us
&lt;/span&gt;&amp;lt; 
{ [791 bytes data]
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-login-saml:&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Wed, 22 Apr 2020 14:40:01 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/saml/check : 202 7417us
&lt;/span&gt;&amp;lt; X-Okapi-Trace: GET mod-login-saml-1.3.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9153/saml/check : 200 20497us
&lt;/span&gt;&amp;lt; 
{ [28 bytes data]
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-ncip&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Thu, 23 Apr 2020 15:26:20 GMT
&amp;lt; Content-Type: text/plain
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/ncipconfigcheck : 202 6468us
&lt;/span&gt;&amp;lt; X-Okapi-Trace: GET mod-ncip-1.1.1 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9179/ncipconfigcheck : 200 265768us
&lt;/span&gt;&amp;lt; 
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
OK
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;

&lt;p&gt;&lt;img class=&quot;emoticon&quot; src=&quot;/images/icons/emoticons/check.png&quot; height=&quot;16&quot; width=&quot;16&quot; align=&quot;absmiddle&quot; alt=&quot;&quot; border=&quot;0&quot;/&gt; mod-user-import&lt;/p&gt;
&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; Set-Cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-Foo: bar
&amp;gt; Content-Length: 779
&amp;gt; 
* upload completely sent off: 779 out of 779 bytes
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Thu, 23 Apr 2020 15:54:34 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: POST mod-authtoken-2.4.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9175/user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt; : 202 7621us
&lt;/span&gt;&amp;lt; X-Okapi-Trace: POST mod-user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt;-3.2.0 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.37:9142/user-&lt;span class=&quot;code-keyword&quot;&gt;import&lt;/span&gt; : 200 899483us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;message&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;Users were imported successfully.&quot;&lt;/span&gt;,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;createdRecords&quot;&lt;/span&gt; : 0,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;updatedRecords&quot;&lt;/span&gt; : 0,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;failedRecords&quot;&lt;/span&gt; : 1,
  &lt;span class=&quot;code-quote&quot;&gt;&quot;failedUsers&quot;&lt;/span&gt; : [ {
    &lt;span class=&quot;code-quote&quot;&gt;&quot;username&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;jhandey&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;externalSystemId&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;source1_111_112&quot;&lt;/span&gt;,
    &lt;span class=&quot;code-quote&quot;&gt;&quot;errorMessage&quot;&lt;/span&gt; : &lt;span class=&quot;code-quote&quot;&gt;&quot;Failed to create &lt;span class=&quot;code-keyword&quot;&gt;new&lt;/span&gt; user with externalSystemId: source1_111_112&quot;&lt;/span&gt;
  } ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 1
* Connection #0 to host folio-fameflower-okapi.dev.folio.org left intact
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="198256" author="5cf6c546b87c300f36eb7b9a" created="Mon, 27 Apr 2020 12:29:24 +0000"  >&lt;p&gt;The only module I found that still had this issue in the fameflower release (mod-notify) has already been fixed.   I verified this on folio-testing:&lt;/p&gt;

&lt;div class=&quot;code panel&quot; style=&quot;border-width: 1px;&quot;&gt;&lt;div class=&quot;codeContent panelContent&quot;&gt;
&lt;pre class=&quot;code-java&quot;&gt;
...elided...
&amp;gt; set-cookie: token=foobarbaz; path=/; expires=Fri, 01 Jan 2021 00:00:00 GMT
&amp;gt; X-Okapi-Tenant: diku
&amp;gt; X-Okapi-foo: bar
&amp;gt; 
&amp;lt; HTTP/1.1 200 OK
&amp;lt; Date: Mon, 27 Apr 2020 12:28:15 GMT
&amp;lt; Content-Type: application/json
&amp;lt; Transfer-Encoding: chunked
&amp;lt; Connection: keep-alive
&amp;lt; X-Okapi-Trace: GET mod-authtoken-2.5.0-SNAPSHOT.66 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.210:9133/notify : 202 8019us
&lt;/span&gt;&amp;lt; X-Okapi-Trace: GET mod-notify-2.6.0-SNAPSHOT.91 http:&lt;span class=&quot;code-comment&quot;&gt;//10.36.1.210:9143/notify : 200 261488us
&lt;/span&gt;&amp;lt; 
{
  &lt;span class=&quot;code-quote&quot;&gt;&quot;notifications&quot;&lt;/span&gt; : [ ],
  &lt;span class=&quot;code-quote&quot;&gt;&quot;totalRecords&quot;&lt;/span&gt; : 0
* Connection #0 to host folio-testing-okapi.aws.indexdata.com left intact
}
&lt;/pre&gt;
&lt;/div&gt;&lt;/div&gt;</comment>
                                                            <comment id="198258" author="557058:4f6bed01-40a6-48d5-8471-7ef21f5ea97c" created="Mon, 27 Apr 2020 17:51:30 +0000"  >&lt;p&gt;Looks good. Just want to clear, for q2 release, are there any modules that need to upgrade RMB due to this header injection issue?&lt;/p&gt;</comment>
                                                            <comment id="198260" author="5cf6c546b87c300f36eb7b9a" created="Tue, 28 Apr 2020 12:52:01 +0000"  >&lt;p&gt;The latest release of mod-notify is 2.5.0, which uses an older RMB (26.2.2).  So yes, a mod-notify release will need to be made that includes a fix for this security issue.&lt;/p&gt;</comment>
                                                            <comment id="198262" author="557058:b8e64633-1f7c-402d-9caf-9959a5ba5d0d" created="Mon, 4 May 2020 14:17:34 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt; &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A003b2b3f-c9ac-4207-96eb-21cdb3765e26&quot; class=&quot;user-hover&quot; rel=&quot;557058:003b2b3f-c9ac-4207-96eb-21cdb3765e26&quot; data-account-id=&quot;557058:003b2b3f-c9ac-4207-96eb-21cdb3765e26&quot; accountid=&quot;557058:003b2b3f-c9ac-4207-96eb-21cdb3765e26&quot; rel=&quot;noreferrer&quot;&gt;Oleksii Petrenko&lt;/a&gt; The remaining problem in mod-notify has been fixed on the master branch, we need to make sure the module gets released for Goldenrod.&lt;/p&gt;</comment>
                                                            <comment id="198264" author="5c10cd488ce9b546efc4d9c4" created="Tue, 5 May 2020 13:07:58 +0000"  >&lt;p&gt;What is left: ping release coordinator about module release.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="79617">FOLIO-2524</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="36614">MODNOTIFY-63</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10003">
                    <name>Relates</name>
                                            <outwardlinks description="relates to">
                                        <issuelink>
            <issuekey id="57104">RMB-478</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="54092">OKAPI-763</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="35191">MODLOGIN-119</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i00ugc:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="1858">CP: sprint 87</customfieldvalue>
    <customfieldvalue id="1421">CP: sprint 88</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10044" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>Story Points</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>3.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 22 Apr 2020 14:27:49 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>