You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@myfaces.apache.org by sk...@apache.org on 2008/11/10 15:41:47 UTC

svn commit: r712667 - in /myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra: conversation/ConversationRequestParameterProvider.java viewController/spring/SpringViewControllerScope.java

Author: skitching
Date: Mon Nov 10 06:41:47 2008
New Revision: 712667

URL: http://svn.apache.org/viewvc?rev=712667&view=rev
Log:
Add some minor comments

Modified:
    myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/conversation/ConversationRequestParameterProvider.java
    myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/viewController/spring/SpringViewControllerScope.java

Modified: myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/conversation/ConversationRequestParameterProvider.java
URL: http://svn.apache.org/viewvc/myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/conversation/ConversationRequestParameterProvider.java?rev=712667&r1=712666&r2=712667&view=diff
==============================================================================
--- myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/conversation/ConversationRequestParameterProvider.java (original)
+++ myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/conversation/ConversationRequestParameterProvider.java Mon Nov 10 06:41:47 2008
@@ -88,6 +88,11 @@
         return Long.toString(ctx.getId(), Character.MAX_RADIX);
     }
 
+    //TODO: theoretical security problem here as something can call this method then
+    // modify the 0th element of the returned array. If this library is deployed at the
+    // "shared" level, that means that one webapp can cause a "denial of service" or
+    // similar against other webapps in the container by changing this critical field.
+    // Not a very important flaw, but nevertheless...
     public String[] getFields()
     {
         if (isInSeparationMode())

Modified: myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/viewController/spring/SpringViewControllerScope.java
URL: http://svn.apache.org/viewvc/myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/viewController/spring/SpringViewControllerScope.java?rev=712667&r1=712666&r2=712667&view=diff
==============================================================================
--- myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/viewController/spring/SpringViewControllerScope.java (original)
+++ myfaces/orchestra/trunk/core/src/main/java/org/apache/myfaces/orchestra/viewController/spring/SpringViewControllerScope.java Mon Nov 10 06:41:47 2008
@@ -63,6 +63,7 @@
  */
 public class SpringViewControllerScope extends AbstractSpringOrchestraScope
 {
+    // should this really be static? Are all the classes it references really static?
     private final static ViewControllerManager DEFAULT_VCM = new DefaultViewControllerManager();
 
     public SpringViewControllerScope()