You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Scott O'Bryan (JIRA)" <de...@myfaces.apache.org> on 2009/03/25 05:37:50 UTC

[jira] Commented: (TRINIDAD-1258) GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet

    [ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688997#action_12688997 ] 

Scott O'Bryan commented on TRINIDAD-1258:
-----------------------------------------

This patch caused a regression.  When this is used from the ResourceServlet, a NullpointerException is generated:

java.lang.NullPointerException
        at
org.apache.myfaces.trinidadinternal.util.nls.LocaleUtils.getLocaleForIANAString(LocaleUtils.java:154)
        at
org.apache.myfaces.trinidadinternal.resource.TranslationsResourceLoader.getString(TranslationsResourceLoader.java:102)
        at
org.apache.myfaces.trinidad.resource.StringContentResourceLoader.getURL(StringContentResourceLoader.java:50)
        at
org.apache.myfaces.trinidadinternal.resource.TranslationsResourceLoader.findResource(TranslationsResourceLoader.java:90)
        at
org.apache.myfaces.trinidad.resource.ResourceLoader.getResource(ResourceLoader.java:67)
        Truncated. see log file for complete stacktrace

This is caused by some code which attempts to get the Locale from the ViewRoot on the FacesContext.  In Trinidad, the ResourceServlet initializes a FacesContext, but it does NOT initialize a ViewRoot and, as such, the view is null.  This code needs to be able to handle a null view root.

> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-1258
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>          Components: Components
>    Affects Versions: 1.2.9-core
>            Reporter: Yee-Wah Lee
>            Assignee: Matthias Weßendorf
>            Priority: Critical
>             Fix For:  1.0.11-core,  1.2.11-core
>
>         Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties 
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.