You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "lantian (JIRA)" <my...@incubator.apache.org> on 2005/07/04 11:11:11 UTC
[jira] Created: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.
there's a very seriously security problem in myfaces but not found in SUN's RI.
--------------------------------------------------------------------------------
Key: MYFACES-302
URL: http://issues.apache.org/jira/browse/MYFACES-302
Project: MyFaces
Type: Bug
Versions: 1.0.9 beta
Environment: JDK 1.4.2
TOMCAT 5.0.28
Reporter: lantian
Priority: Critical
step1 : i set "true" to disabled property of inputText named input1 and commandButton named button1 in designe time.
step2 : i view the page with firefox browser ,and i can not modify the data of input1 and can not click button1 of course .
step3: i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool supplied by firefox.
step4: now ,i can modify the data of input1 and can click button1 .i find that the new data was submit to the server and the ation of button1 was invoked.
it means that the disable property of myfaces components can not work securely.
I make the same test with SUN's RI, it works well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Commented: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.
Posted by "Martin Marinschek (JIRA)" <my...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/MYFACES-302?page=comments#action_12315049 ]
Martin Marinschek commented on MYFACES-302:
-------------------------------------------
Should be fixed in HEAD.
> there's a very seriously security problem in myfaces but not found in SUN's RI.
> --------------------------------------------------------------------------------
>
> Key: MYFACES-302
> URL: http://issues.apache.org/jira/browse/MYFACES-302
> Project: MyFaces
> Type: Bug
> Versions: 1.0.9 beta
> Environment: JDK 1.4.2
> TOMCAT 5.0.28
> Reporter: lantian
> Assignee: Martin Marinschek
> Priority: Critical
>
> step1 : i set "true" to disabled property of inputText named input1 and commandButton named button1 in designe time.
> step2 : i view the page with firefox browser ,and i can not modify the data of input1 and can not click button1 of course .
> step3: i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool supplied by firefox.
> step4: now ,i can modify the data of input1 and can click button1 .i find that the new data was submit to the server and the ation of button1 was invoked.
> it means that the disable property of myfaces components can not work securely.
> I make the same test with SUN's RI, it works well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.
Posted by "Martin Marinschek (JIRA)" <my...@incubator.apache.org>.
[ http://issues.apache.org/jira/browse/MYFACES-302?page=all ]
Martin Marinschek closed MYFACES-302:
-------------------------------------
Fix Version: Nightly Build
Resolution: Fixed
Has been fixed in the nightly build. Should have been fixed on all components. If you still find a problem, post with the exact component on which this problem was found.
regards,
Martin
> there's a very seriously security problem in myfaces but not found in SUN's RI.
> --------------------------------------------------------------------------------
>
> Key: MYFACES-302
> URL: http://issues.apache.org/jira/browse/MYFACES-302
> Project: MyFaces
> Type: Bug
> Versions: 1.0.9 beta
> Environment: JDK 1.4.2
> TOMCAT 5.0.28
> Reporter: lantian
> Assignee: Martin Marinschek
> Priority: Critical
> Fix For: Nightly Build
>
> step1 : i set "true" to disabled property of inputText named input1 and commandButton named button1 in designe time.
> step2 : i view the page with firefox browser ,and i can not modify the data of input1 and can not click button1 of course .
> step3: i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool supplied by firefox.
> step4: now ,i can modify the data of input1 and can click button1 .i find that the new data was submit to the server and the ation of button1 was invoked.
> it means that the disable property of myfaces components can not work securely.
> I make the same test with SUN's RI, it works well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira