IBM Support

IV77742: ALLOW CHARACTER EXCLUDE LIST FOR TAKE ACTION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Currently when a Tivoli Portal user has "Take Action"
    authority, the dialog used for passing arguments with an
    action,  command allows for inclusion of additional characters
    in the text field.
    
    RECREATE INSTRUCTIONS:
    Select an action command that accepts parameters, a dialog will
    appear which is an editable freeform field.
    

Local fix

  • Remove the "Take Action" authority from the Tivoli Portal user
    account.
    

Problem summary

  • Currently when a Tivoli Portal user has "Take Action" authority,
     the dialog used for passing arguments with an action command:
    'Edit Argument Values' pop-up, allows for inclusion of
    additional characters in the text field. By this APAR fix, the
    administrator is able to list the characters that are not
    allowed in this field.
    
    In order for this APAR to be properly implemented in your
    environment, a new environment variable has been added.  See the
    "Install Actions" section of the APAR conclusion for more
    details.
    

Problem conclusion

  • Code was changed to exclude characters in take action text field
     by 'KFW_TAKE_ACTION_EXCLUDE_CHARACTERS' variable.
    
    When a Tivoli Portal user has "view" authority to run take
    action commands, if a command is defined to prompt the user for
    additional input then the Edit Argument Values window is
    displayed. Currently the user can provide specially crafted
    input which can result in additional command(s) being executed.
    This APAR will exclude specific characters from being used as
    input to the dialog.
    
    Install Actions:
    To fully enable this APAR, the following post installation steps
    should be completed:
    
     1. A new environment variable
    KFW_TAKE_ACTION_EXCLUDE_CHARACTERS will be needed in the kfwenv
    file (Windows) or cq.ini file (Linux/UNIX). This variable should
    list the set of characters that are not allowed to be entered
    into the Edit Argument Values when a user has "view" authority.
    For example, to restrict the values ";" or "&" or "|", add the
    environment variable using the format below:
    
        On Windows: Open kfwenv in <CANDLEHOME>\CNPS, define
        KFW_TAKE_ACTION_EXCLUDE_CHARACTERS.
             KFW_TAKE_ACTION_EXCLUDE_CHARACTERS=;&|
    
        On Linux/UNIX:  Open cq.ini in <CANDLEHOME>/config, define
        KFW_TAKE_ACTION_EXCLUDE_CHARACTERS.
             KFW_TAKE_ACTION_EXCLUDE_CHARACTERS=;&|
    
    Save the file (the change will not take effect until the Tivoli
    Enterprise Portal is restarted in step #2 below).
    
    The list of characters can be customized by the administrator if
    additional characters want to be added to the exclude list. Once
    this value is set and the portal server recycled, a user with
    view authority to run a take action will no longer be able to
    enter those characters into the Edit Arguments dialog box.
    
     2. After adding the environment variable
    KFW_TAKE_ACTION_EXCLUDE_CHARACTERS above, the portal server
    needs to be restarted.
    
     3. The Java plugin jar cache needs to be cleared on all
    desktops that run the Tivoli Enterprise Portal client.
        - From the Windows control panel, double-click the Java icon
    that represents the Java control panel.
        - Select the "General" tab, press the "settings" button,
    then press the "Delete files" button to clear currently cached
    applications.
        - The next time the Tivoli Enterprise Portal client is
    started the newly patched jar files in this fix will be
    downloaded.
    
     4. Restart the Tivoli Enterprise Portal client.
    
    
    The fix for this APAR is contained in the following maintenance
    packages:
    
       | fix pack | 6.3.0-TIV-ITM-FP0007
       | provisional fix | 6.3.0-TIV-ITM-FP0005-IV77742
       | provisional fix | 6.2.3-TIV-ITM-FP0005-IV77742
       | provisional fix | 6.2.2-TIV-ITM-FP0009-IV77742
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV77742

  • Reported component name

    TEP

  • Reported component ID

    5724C04EP

  • Reported release

    630

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2015-10-07

  • Closed date

    2017-01-06

  • Last modified date

    2017-01-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TEP

  • Fixed component ID

    5724C04EP

Applicable component levels

  • R630 PSY

       UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"}, "Product":{"code":"SSCTLMK","label":"ITM Tivoli Enterprise Portal V6"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"630","Edition":""}]

Document Information

Modified date:
06 January 2017