You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@beehive.apache.org by "Daryl Olander (JIRA)" <de...@beehive.apache.org> on 2006/02/17 19:15:25 UTC
[jira] Created: (BEEHIVE-1069) Exposed Properties on
PageFlowController can be set by hidden fields in a form
Exposed Properties on PageFlowController can be set by hidden fields in a form
-------------------------------------------------------------------------------
Key: BEEHIVE-1069
URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
Project: Beehive
Type: Bug
Components: NetUI
Versions: 1.0.1
Reporter: Daryl Olander
Assigned to: Carlin Rogers
Priority: Blocker
Fix For: 1.0.1
I have the following form that change the forward path to /bar.jsp
<netui:form action="submit">
<netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
<netui:button value="submit" />
</netui:form>
I also have the following action in my page flow.
@Jpf.Action(
forwards={
@Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
}
)
protected Forward submit(Form form)
{
return new Forward("index");
}
If the current page is index.jsp, this should navigate back to that, when the form is submitted it will navigate to bar.jsp. In my mind this is actually a security hole. I can dynamically change the navigation externally in this situation. I haven't played around with the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same JavaBean that is not immutable.
I'm going to open a Jiri bug on this. I think this is critical and needs to be fixed now. My suggestion is that we rename these methods on the PageFlowController so they aren't picked up as JavaBean properties.
I suggest we do this to:
currentPageInfo
previousPageInfo
previousActionInfo
modeulConfig
actions
We need to spin a new release on this.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (BEEHIVE-1069) Exposed Properties on
PageFlowController can be set by hidden fields in a form
Posted by "Carlin Rogers (JIRA)" <de...@beehive.apache.org>.
[ http://issues.apache.org/jira/browse/BEEHIVE-1069?page=all ]
Carlin Rogers resolved BEEHIVE-1069:
------------------------------------
Fix Version: v.next
(was: 1.0.1)
Resolution: Fixed
Assign To: Alejandro Ramirez (was: Carlin Rogers)
Daryl fixed this with svn revision 378742. http://svn.apache.org/viewcvs?rev=378742&view=rev
For more implementation details, see the log of his commit.
> Exposed Properties on PageFlowController can be set by hidden fields in a form
> -------------------------------------------------------------------------------
>
> Key: BEEHIVE-1069
> URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: 1.0.1
> Reporter: Daryl Olander
> Assignee: Alejandro Ramirez
> Priority: Blocker
> Fix For: v.next
> Attachments: servletUpdate.zip
>
> I have the following form that change the forward path to /bar.jsp
> <netui:form action="submit">
> <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
> <netui:button value="submit" />
> </netui:form>
> I also have the following action in my page flow.
> @Jpf.Action(
> forwards={
> @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
> }
> )
> protected Forward submit(Form form)
> {
> return new Forward("index");
> }
> If the current page is index.jsp, this should navigate back to that, when the form is submitted it will navigate to bar.jsp. In my mind this is actually a security hole. I can dynamically change the navigation externally in this situation. I haven't played around with the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same JavaBean that is not immutable.
> I'm going to open a Jiri bug on this. I think this is critical and needs to be fixed now. My suggestion is that we rename these methods on the PageFlowController so they aren't picked up as JavaBean properties.
> I suggest we do this to:
> currentPageInfo
> previousPageInfo
> previousActionInfo
> modeulConfig
> actions
> We need to spin a new release on this.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Updated: (BEEHIVE-1069) Exposed Properties on
PageFlowController can be set by hidden fields in a form
Posted by "Daryl Olander (JIRA)" <de...@beehive.apache.org>.
[ http://issues.apache.org/jira/browse/BEEHIVE-1069?page=all ]
Daryl Olander updated BEEHIVE-1069:
-----------------------------------
Attachment: servletUpdate.zip
Add a page flow that demonstrates the error
> Exposed Properties on PageFlowController can be set by hidden fields in a form
> -------------------------------------------------------------------------------
>
> Key: BEEHIVE-1069
> URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
> Project: Beehive
> Type: Bug
> Components: NetUI
> Versions: 1.0.1
> Reporter: Daryl Olander
> Assignee: Carlin Rogers
> Priority: Blocker
> Fix For: 1.0.1
> Attachments: servletUpdate.zip
>
> I have the following form that change the forward path to /bar.jsp
> <netui:form action="submit">
> <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
> <netui:button value="submit" />
> </netui:form>
> I also have the following action in my page flow.
> @Jpf.Action(
> forwards={
> @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
> }
> )
> protected Forward submit(Form form)
> {
> return new Forward("index");
> }
> If the current page is index.jsp, this should navigate back to that, when the form is submitted it will navigate to bar.jsp. In my mind this is actually a security hole. I can dynamically change the navigation externally in this situation. I haven't played around with the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same JavaBean that is not immutable.
> I'm going to open a Jiri bug on this. I think this is critical and needs to be fixed now. My suggestion is that we rename these methods on the PageFlowController so they aren't picked up as JavaBean properties.
> I suggest we do this to:
> currentPageInfo
> previousPageInfo
> previousActionInfo
> modeulConfig
> actions
> We need to spin a new release on this.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira