You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@deltaspike.apache.org by st...@apache.org on 2017/12/21 11:50:47 UTC
[1/2] deltaspike git commit: update versions for various test builds
Repository: deltaspike
Updated Branches:
refs/heads/master bf238f513 -> 72e607f3b
update versions for various test builds
Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/11b40fec
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/11b40fec
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/11b40fec
Branch: refs/heads/master
Commit: 11b40fec0ff29fe27e6a582a8049fa5723f98a3b
Parents: bf238f5
Author: Mark Struberg <st...@apache.org>
Authored: Thu Dec 21 12:49:22 2017 +0100
Committer: Mark Struberg <st...@apache.org>
Committed: Thu Dec 21 12:49:22 2017 +0100
----------------------------------------------------------------------
deltaspike/buildall.sh | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/deltaspike/blob/11b40fec/deltaspike/buildall.sh
----------------------------------------------------------------------
diff --git a/deltaspike/buildall.sh b/deltaspike/buildall.sh
index 944b41b..d81ea7d 100755
--- a/deltaspike/buildall.sh
+++ b/deltaspike/buildall.sh
@@ -24,12 +24,23 @@
#####################################################################################
rm mvn-*log
+
+# CDI-1.0, EE6
mvn clean install -POWB -Dowb.version=1.2.7 -Dopenejb.owb.version=1.2.7 | tee mvn-owb1_2_7.log
-mvn clean install -POWB15,OpenEJB-TomEE -Dowb.version=1.7.2 -Dopenejb.owb.version=1.7.2 -Dopenejb.version=7.0.3 | tee mvn-owb1.7.2.log
mvn clean install -PWeld1 -Dweld.version=1.1.10.Final | tee mvn-weld1_1_10.log
-mvn clean install -PWeld1 -Dweld.version=1.1.28.Final | tee mvn-weld1_1_28.log
-mvn clean install -Ptomee-build-managed -Dtomee.version=1.7.0 -Dopenejb.version=4.7.0 -Dopenejb.owb.version=1.2.6 | tee mvn-tomee_1_7_0.log
-mvn clean install -Pjbossas-build-managed-7 | tee mvn-jbossas_7.log
+mvn clean install -Ptomee-build-managed -Dtomee.version=1.7.5 -Dopenejb.version=4.7.5 -Dopenejb.owb.version=1.2.8 | tee mvn-tomee_1_7_5.log
+
+# jbossas7 is broken on Java8, it strictly requires Java7
+# mvn clean install -Pjbossas-build-managed-7 | tee mvn-jbossas_7.log
+
+# CDI-1.2, EE7
+mvn clean install -POWB15,OpenEJB-TomEE -Dowb.version=1.7.4 -Dopenejb.owb.version=1.7.4 -Dopenejb.version=7.0.4 | tee mvn-owb1.7.4.log
+mvn clean install -PWeld2 -Dweld.version=2.4.6.Final | tee mvn-weld2_4_6.log
+mvn clean install -Pwildfly-build-managed | tee mvn-wildfly9.log
+mvn clean install -Ptomee7-build-managed,OpenEJB-TomEE -Dtomee.version=7.0.4 -Dopenejb.version=7.0.4 -Dopenejb.owb.version=1.7.4 | tee mvn-tomee_7_0_4.log
+
+# CDI-2.0, EE8
+
# and now for the result check
[2/2] deltaspike git commit: DELTASPIKE-1307 sanitise windowId
against JavaScript injection
Posted by st...@apache.org.
DELTASPIKE-1307 sanitise windowId against JavaScript injection
Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/72e607f3
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/72e607f3
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/72e607f3
Branch: refs/heads/master
Commit: 72e607f3be66c30c72b32c24b44e9deaa8e54608
Parents: 11b40fe
Author: Mark Struberg <st...@apache.org>
Authored: Thu Dec 21 12:50:00 2017 +0100
Committer: Mark Struberg <st...@apache.org>
Committed: Thu Dec 21 12:50:00 2017 +0100
----------------------------------------------------------------------
.../strategy/AbstractClientWindowStrategy.java | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/deltaspike/blob/72e607f3/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
index 4078e45..f98bdc7 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/strategy/AbstractClientWindowStrategy.java
@@ -25,7 +25,6 @@ import javax.annotation.PostConstruct;
import javax.faces.context.FacesContext;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
-import org.apache.deltaspike.core.spi.scope.window.WindowContext;
import org.apache.deltaspike.jsf.api.config.JsfModuleConfig;
import org.apache.deltaspike.jsf.impl.util.ClientWindowHelper;
import org.apache.deltaspike.jsf.spi.scope.window.ClientWindow;
@@ -52,9 +51,6 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
@Inject
protected JsfModuleConfig jsfModuleConfig;
- @Inject
- protected WindowContext windowContext;
-
private int maxWindowIdCount = 10;
@PostConstruct
@@ -77,8 +73,11 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
windowId = getOrCreateWindowId(facesContext);
+
if (windowId != null)
{
+ windowId = sanitiseWindowId(windowId);
+
// don't cut the windowId generated from JSF
ClientWindowConfig.ClientWindowRenderMode clientWindowRenderMode =
clientWindowConfig.getClientWindowRenderMode(facesContext);
@@ -96,6 +95,17 @@ public abstract class AbstractClientWindowStrategy implements ClientWindow
return windowId;
}
+
+ /**
+ * We have to escape some characters to make sure we do not open
+ * any XSS vectors. E.g. replace () etc to
+ * prevent attackers from injecting JavaScript function calls.
+ */
+ protected String sanitiseWindowId(String windowId)
+ {
+ return windowId.replace('(', '_');
+ }
+
protected abstract String getOrCreateWindowId(FacesContext facesContext);
protected String generateNewWindowId()