You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "lantian (JIRA)" <my...@incubator.apache.org> on 2005/07/04 11:11:11 UTC

[jira] Created: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.

there's a very seriously security  problem in myfaces but not found in SUN's RI.
--------------------------------------------------------------------------------

         Key: MYFACES-302
         URL: http://issues.apache.org/jira/browse/MYFACES-302
     Project: MyFaces
        Type: Bug
    Versions: 1.0.9 beta    
 Environment: JDK  1.4.2
TOMCAT 5.0.28
    Reporter: lantian
    Priority: Critical


step1 : i set  "true" to   disabled property of inputText named input1 and commandButton named button1 in designe time.

step2 : i view the page with firefox browser ,and i can not modify the data of  input1 and can not click button1    of course .

step3:   i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool    supplied by firefox.

step4:  now ,i can modify the data of  input1  and can click button1 .i find that the new data was submit to the     server and the  ation of button1  was invoked.

          it  means that  the disable property of myfaces components can not  work securely.
          I make the same test with SUN's RI, it works well.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Commented: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.

Posted by "Martin Marinschek (JIRA)" <my...@incubator.apache.org>.

    [ http://issues.apache.org/jira/browse/MYFACES-302?page=comments#action_12315049 ] 

Martin Marinschek commented on MYFACES-302:
-------------------------------------------

Should be fixed in HEAD.

> there's a very seriously security  problem in myfaces but not found in SUN's RI.
> --------------------------------------------------------------------------------
>
>          Key: MYFACES-302
>          URL: http://issues.apache.org/jira/browse/MYFACES-302
>      Project: MyFaces
>         Type: Bug
>     Versions: 1.0.9 beta
>  Environment: JDK  1.4.2
> TOMCAT 5.0.28
>     Reporter: lantian
>     Assignee: Martin Marinschek
>     Priority: Critical

>
> step1 : i set  "true" to   disabled property of inputText named input1 and commandButton named button1 in designe time.
> step2 : i view the page with firefox browser ,and i can not modify the data of  input1 and can not click button1    of course .
> step3:   i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool    supplied by firefox.
> step4:  now ,i can modify the data of  input1  and can click button1 .i find that the new data was submit to the     server and the  ation of button1  was invoked.
>           it  means that  the disable property of myfaces components can not  work securely.
>           I make the same test with SUN's RI, it works well.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

[jira] Closed: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.

Posted by "Martin Marinschek (JIRA)" <my...@incubator.apache.org>.

     [ http://issues.apache.org/jira/browse/MYFACES-302?page=all ]
     
Martin Marinschek closed MYFACES-302:
-------------------------------------

    Fix Version: Nightly Build
     Resolution: Fixed

Has been fixed in the nightly build. Should have been fixed on all components. If you still find a problem, post with the exact component on which this problem was found.

regards,

Martin

> there's a very seriously security  problem in myfaces but not found in SUN's RI.
> --------------------------------------------------------------------------------
>
>          Key: MYFACES-302
>          URL: http://issues.apache.org/jira/browse/MYFACES-302
>      Project: MyFaces
>         Type: Bug
>     Versions: 1.0.9 beta
>  Environment: JDK  1.4.2
> TOMCAT 5.0.28
>     Reporter: lantian
>     Assignee: Martin Marinschek
>     Priority: Critical
>      Fix For: Nightly Build

>
> step1 : i set  "true" to   disabled property of inputText named input1 and commandButton named button1 in designe time.
> step2 : i view the page with firefox browser ,and i can not modify the data of  input1 and can not click button1    of course .
> step3:   i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool    supplied by firefox.
> step4:  now ,i can modify the data of  input1  and can click button1 .i find that the new data was submit to the     server and the  ation of button1  was invoked.
>           it  means that  the disable property of myfaces components can not  work securely.
>           I make the same test with SUN's RI, it works well.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira