You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Leonardo Uribe (Commented) (JIRA)" <de...@myfaces.apache.org> on 2011/11/22 22:54:40 UTC
[jira] [Commented] (MYFACES-3405) includeViewParameters
re-evaluates param/model values as EL expressions
[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155471#comment-13155471 ]
Leonardo Uribe commented on MYFACES-3405:
-----------------------------------------
Attached patch that fix the issue. Just create an utility class for evaluation (NavigationUtils) and use it on the right spots where we need it. In this way, we prevent EL evaluation for params received from UIViewParameter instances.
> includeViewParameters re-evaluates param/model values as EL expressions
> -----------------------------------------------------------------------
>
> Key: MYFACES-3405
> URL: https://issues.apache.org/jira/browse/MYFACES-3405
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 2.1.3
> Environment: MyFaces 2.1.3
> Reporter: Frederick Kämpfer
> Attachments: MYFACES-3405-1.patch
>
>
> I just wanted to make you aware of the following security issue in conjunction with the includeViewParameters navigation parameter. It seems it is also reproducible with MyFaces:
> http://java.net/jira/browse/JAVASERVERFACES-2247
> I'm not sure which workaround would be best in accordance with the Spec, but at least a quick fix might be worth considering to improve the security of the default behavior.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira