You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Martin Marinschek (JIRA)" <my...@incubator.apache.org> on 2005/07/27 09:56:19 UTC
[jira] Closed: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.
[ http://issues.apache.org/jira/browse/MYFACES-302?page=all ]
Martin Marinschek closed MYFACES-302:
-------------------------------------
Fix Version: Nightly Build
Resolution: Fixed
Has been fixed in the nightly build. Should have been fixed on all components. If you still find a problem, post with the exact component on which this problem was found.
regards,
Martin
> there's a very seriously security problem in myfaces but not found in SUN's RI.
> --------------------------------------------------------------------------------
>
> Key: MYFACES-302
> URL: http://issues.apache.org/jira/browse/MYFACES-302
> Project: MyFaces
> Type: Bug
> Versions: 1.0.9 beta
> Environment: JDK 1.4.2
> TOMCAT 5.0.28
> Reporter: lantian
> Assignee: Martin Marinschek
> Priority: Critical
> Fix For: Nightly Build
>
> step1 : i set "true" to disabled property of inputText named input1 and commandButton named button1 in designe time.
> step2 : i view the page with firefox browser ,and i can not modify the data of input1 and can not click button1 of course .
> step3: i change the disable property of input1 and button1 to "false" in the page with Dom inspector tool supplied by firefox.
> step4: now ,i can modify the data of input1 and can click button1 .i find that the new data was submit to the server and the ation of button1 was invoked.
> it means that the disable property of myfaces components can not work securely.
> I make the same test with SUN's RI, it works well.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira