You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Ben Noordhuis (JIRA)" <ji...@apache.org> on 2011/03/10 01:15:00 UTC
[jira] Commented: (CXF-3390) Field value from previous request is
recycled when field is absent in new request
[ https://issues.apache.org/jira/browse/CXF-3390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13004890#comment-13004890 ]
Ben Noordhuis commented on CXF-3390:
------------------------------------
This bug is caused by the null checks in JAXRSUtils.handleSetters().
Color diff and raw patch:
https://github.com/bnoordhuis/cxf/compare/CXF-3390
https://github.com/bnoordhuis/cxf/compare/CXF-3390.patch
Tests and style checks pass.
> Field value from previous request is recycled when field is absent in new request
> ---------------------------------------------------------------------------------
>
> Key: CXF-3390
> URL: https://issues.apache.org/jira/browse/CXF-3390
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.4
> Reporter: Ben Noordhuis
> Priority: Critical
>
> This was tested against 2.3.1 and HEAD.
> Consider this class:
> {code}
> @Path("/test")
> public class Test {
> @QueryParam("q") private String q;
> @GET
> public void test() {
> System.err.println(q);
> }
> }
> {code}
> Now consider this test case:
> {noformat}
> $ curl http://localhost:8080/test # prints "null"
> $ curl http://localhost:8080/test?q=foo # prints "foo"
> $ curl http://localhost:8080/test # prints "foo" !
> {noformat}
> This is a serious bug because it leaks information. It's not specific to @QueryParam, the other annotations have the same problem.
> I discovered it in a resource that is used for authentication: after logging in once, I could log in again without providing a username and password!
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira