Opencast uses unsafe identifiers
Description
Opencast before 8.1 and 7.6 allows almost arbitrary identifiers for media packages and elements to be used. This can be problematic for operation and security since such identifiers are sometimes used for file system operations which may lead to an attacker being able to escape working directories and write files to other locations. In addition, Opencast's Id.toString(…) vs Id.compact(…) behavior, the latter trying to mitigate some of the file system problems, can cause errors due to identifier mismatch since an identifier may unintentionally change. This issue is fixed in Opencast 7.6 and 8.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencastproject:baseMaven | < 7.6 | 7.6 |
org.opencastproject:baseMaven | >= 8.0, < 8.1 | 8.1 |
Affected products
1Patches
1bbb473f34ab9Limit Characters Allowed In Ids
3 files changed · +15 −4
modules/common/src/main/java/org/opencastproject/mediapackage/identifier/IdImpl.java+9 −2 modified@@ -22,6 +22,8 @@ package org.opencastproject.mediapackage.identifier; +import java.util.regex.Pattern; + import javax.xml.bind.annotation.XmlAccessType; import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlType; @@ -34,6 +36,8 @@ @XmlAccessorType(XmlAccessType.NONE) public class IdImpl implements Id { + private static final Pattern pattern = Pattern.compile("[\\w-_.:;()]+"); + /** The identifier */ @XmlValue protected String id = null; @@ -50,7 +54,10 @@ public IdImpl() { * @param id * the identifier */ - public IdImpl(String id) { + public IdImpl(final String id) { + if (!pattern.matcher(id).matches()) { + throw new IllegalArgumentException("Id must match " + pattern); + } this.id = id; } @@ -60,7 +67,7 @@ public IdImpl(String id) { * @see org.opencastproject.mediapackage.identifier.Id#compact() */ public String compact() { - return id.replaceAll("/", "-").replaceAll("\\\\", "-"); + return toString(); } @Override
modules/common/src/main/java/org/opencastproject/mediapackage/identifier/Id.java+1 −0 modified@@ -41,6 +41,7 @@ public interface Id { * * @return a path separator-free representation of the identifier */ + @Deprecated String compact(); class Adapter extends XmlAdapter<IdImpl, Id> {
modules/ingest-service-impl/src/main/java/org/opencastproject/ingest/endpoint/IngestRestService.java+5 −2 modified@@ -837,11 +837,14 @@ public Response addMediaPackage(@Context HttpServletRequest request, @PathParam( return Response.serverError().status(Status.BAD_REQUEST).build(); } - WorkflowInstance workflow = (wdID == null) ? ingestService.ingest(mp) : ingestService.ingest(mp, wdID, - workflowProperties); + WorkflowInstance workflow = (wdID == null) + ? ingestService.ingest(mp) + : ingestService.ingest(mp, wdID, workflowProperties); return Response.ok(workflow).build(); } return Response.serverError().status(Status.BAD_REQUEST).build(); + } catch (IllegalArgumentException e) { + return Response.status(Status.BAD_REQUEST).entity(e.getMessage()).build(); } catch (Exception e) { logger.warn(e.getMessage(), e); return Response.serverError().status(Status.INTERNAL_SERVER_ERROR).build();
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-w29m-fjp4-qhmqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-5230ghsaADVISORY
- github.com/opencast/opencast/commit/bbb473f34ab95497d6c432c81285efb0c739f317ghsax_refsource_MISCWEB
- github.com/opencast/opencast/security/advisories/GHSA-w29m-fjp4-qhmqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.