You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "ASF GitHub Bot (JIRA)" <de...@myfaces.apache.org> on 2018/11/22 13:53:00 UTC

[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)

    [ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16695920#comment-16695920 ] 

ASF GitHub Bot commented on MYFACES-4266:
-----------------------------------------

cnsgithub opened a new pull request #27: fixes https://issues.apache.org/jira/browse/MYFACES-4266
URL: https://github.com/apache/myfaces/pull/27
 
 
   Fixes
   - https://issues.apache.org/jira/browse/MYFACES-4266
   
   Related to
   - https://github.com/primefaces/primefaces/issues/3875
   
   @tandraschko Could you please check that?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Ajax update fails due to invalid characters in response XML (DoS)
> -----------------------------------------------------------------
>
>                 Key: MYFACES-4266
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4266
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 2.3.2
>         Environment: jetty 9.4.14.v20181114
> JDK 10
>            Reporter: cnsgithub
>            Priority: Major
>
> I noticed that the {{<f:ajax />}} update fails when the updated form contains unicode characters, which are not allowed in the [XML 1.0 spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour: [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
>  To reproduce:
>  - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
>  - {{git checkout myfaces}}
>  - run {{mvn clean package jetty:run}}
>  - after the server has started, open [http://localhost:8080/index.xhtml]
>  - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
>  - open [http://localhost:8080/input.xhtml]
>  - Paste the characters from the {{illegal-xml-chars.txt}} file into the input field
>  - Click the button
> This issue should be addressed with high priority since it is security related (might be exploited for Denial of Service).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)