You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/04/05 15:10:00 UTC

[jira] [Resolved] (CXF-7702) Remove methods in QueryContext that don't use a custom bean class

     [ https://issues.apache.org/jira/browse/CXF-7702?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Colm O hEigeartaigh resolved CXF-7702.
--------------------------------------
    Resolution: Fixed

> Remove methods in QueryContext that don't use a custom bean class
> -----------------------------------------------------------------
>
>                 Key: CXF-7702
>                 URL: https://issues.apache.org/jira/browse/CXF-7702
>             Project: CXF
>          Issue Type: Improvement
>            Reporter: Colm O hEigeartaigh
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.2.5
>
>
> The JAX-RS search QueryContext has some methods to return the converted search expression that don't take a bean parameter. This means that it's possible to inject parameters into the search query that are not defined as properties in the bean class, leading to potential injection attacks. Instead all methods should require a bean, similar to the SearchContext.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)