You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Yee-Wah Lee (JIRA)" <de...@myfaces.apache.org> on 2008/10/14 22:19:44 UTC
[jira] Created: (TRINIDAD-1258) GenericEntry allows invalid locale
parameter - XSS vulnerability in LocaleInfoScriptlet
GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
---------------------------------------------------------------------------------------
Key: TRINIDAD-1258
URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
Project: MyFaces Trinidad
Issue Type: Bug
Components: Components
Affects Versions: 1.2.9-core
Reporter: Yee-Wah Lee
Priority: Minor
1. Run the inputDate demo
http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
2. Open the inputDate popup and copy its URL using right click/Properties
http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TRINIDAD-1258) GenericEntry allows invalid locale
parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Yee-Wah Lee (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yee-Wah Lee updated TRINIDAD-1258:
----------------------------------
Status: Patch Available (was: Reopened)
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.11-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff, trin12_1258_add.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TRINIDAD-1258) GenericEntry allows invalid locale
parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Matthias Weßendorf (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matthias Weßendorf updated TRINIDAD-1258:
-----------------------------------------
Resolution: Fixed
Fix Version/s: (was: 1.2.11-core)
1.2.12-core
Status: Resolved (was: Patch Available)
patch was already applied...
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.12-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff, trin12_1258_add.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TRINIDAD-1258) GenericEntry allows invalid
locale parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Matthias Weßendorf (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689824#action_12689824 ]
Matthias Weßendorf commented on TRINIDAD-1258:
----------------------------------------------
+ ServletRequest req = (ServletRequest)
+ fc.getExternalContext().getRequest();
what about the portlet scenario ?
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.11-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff, trin12_1258_add.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TRINIDAD-1258) GenericEntry allows
invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Yee-Wah Lee (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12689912#action_12689912 ]
Yee-Wah Lee edited comment on TRINIDAD-1258 at 3/31/09 2:30 PM:
----------------------------------------------------------------
Per Scott: Requests to the resource servlet should have access to a servlet request even in a portlet environment. When running JSF, you'll get the portlet request object, but you should always have a viewRoot. So as long as you check for the view root first, I think you'll be fine.
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.11-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff, trin12_1258_add.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (TRINIDAD-1258) GenericEntry allows invalid locale
parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Matthias Weßendorf (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Matthias Weßendorf resolved TRINIDAD-1258.
------------------------------------------
Resolution: Fixed
Fix Version/s: 1.2.11-core
1.0.11-core
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.11-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TRINIDAD-1258) GenericEntry allows invalid
locale parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Yee-Wah Lee (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12646767#action_12646767 ]
Yee-Wah Lee commented on TRINIDAD-1258:
---------------------------------------
Uploading patch for 1.1 and 1.2 trunks that:
- Verifies that the language and country arguments used in creating a Locale object (constructor takes language, country, variant) are valid per Javadoc standards before creating it. For variant, it is vendor-specific, it just checks for slashes and rejects them due to XSS.
- logs warning if any of the arguments fail to pass, and uses default or empty
- Fixes NamedLocaleInfoScriptlet to work with the change. In the original TRINIDAD-797 fix, it would add the argument in getLibraryURL but with the fix added by TRINIDAD-879, there were two '?' delimiters in the request. The skipTranslations argument was mangled with the locale argument so the code to retrieve the Locale would fail (since the language code was > 2 characters) and the requested locale was not loaded. The fix is to override addExtraParams() and add the additional parameter correctly.
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (TRINIDAD-1258) GenericEntry allows invalid locale
parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Scott O'Bryan (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Scott O'Bryan reopened TRINIDAD-1258:
-------------------------------------
Caused a regression in functionality
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.11-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TRINIDAD-1258) GenericEntry allows invalid
locale parameter - XSS vulnerability in LocaleInfoScriptlet
Posted by "Scott O'Bryan (JIRA)" <de...@myfaces.apache.org>.
[ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688997#action_12688997 ]
Scott O'Bryan commented on TRINIDAD-1258:
-----------------------------------------
This patch caused a regression. When this is used from the ResourceServlet, a NullpointerException is generated:
java.lang.NullPointerException
at
org.apache.myfaces.trinidadinternal.util.nls.LocaleUtils.getLocaleForIANAString(LocaleUtils.java:154)
at
org.apache.myfaces.trinidadinternal.resource.TranslationsResourceLoader.getString(TranslationsResourceLoader.java:102)
at
org.apache.myfaces.trinidad.resource.StringContentResourceLoader.getURL(StringContentResourceLoader.java:50)
at
org.apache.myfaces.trinidadinternal.resource.TranslationsResourceLoader.findResource(TranslationsResourceLoader.java:90)
at
org.apache.myfaces.trinidad.resource.ResourceLoader.getResource(ResourceLoader.java:67)
Truncated. see log file for complete stacktrace
This is caused by some code which attempts to get the Locale from the ViewRoot on the FacesContext. In Trinidad, the ResourceServlet initializes a FacesContext, but it does NOT initialize a ViewRoot and, as such, the view is null. This code needs to be able to handle a null view root.
> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
> Key: TRINIDAD-1258
> URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
> Project: MyFaces Trinidad
> Issue Type: Bug
> Components: Components
> Affects Versions: 1.2.9-core
> Reporter: Yee-Wah Lee
> Assignee: Matthias Weßendorf
> Priority: Critical
> Fix For: 1.0.11-core, 1.2.11-core
>
> Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.