You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@myfaces.apache.org by José Luis Cetina <ma...@gmail.com> on 2012/06/12 22:00:19 UTC
h:outputStylesheet
If i use
outputStylesheet library="css" name="my.css" (in my h:head tag) works ok
with this structure folder
resources/
css/
my.css
But if i create an other folder into css this stop to work
resources/
css/
test/
my.css
outputStylesheet library="css/test" name="my.css" (in my h:head tag) this
doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
Is this a bug??
Re: h:outputStylesheet
Posted by Mike Kienenberger <mk...@gmail.com>.
My mistake. I misread the updated code. Even though "." and "/" are
allowed, the security bug is fixed since the combinations of "..",
"../" and "/.." are still disallowed.
Sorry for the false alarm -- I should have tested it myself first,
which I just did with 2.1.7.
On Tue, Jun 12, 2012 at 4:20 PM, Mike Kienenberger <mk...@gmail.com> wrote:
> See issue https://issues.apache.org/jira/browse/MYFACES-3454
>
> It's not a good idea to change the behavior back. It introduces a
> security hole.
>
> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E
>
>
> On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
> <ma...@gmail.com> wrote:
>> Hi,
>>
>> it is not possible to use / in library name. Try
>>
>> 1) outputStylesheet library="css" name="test/my.css"
>>
>> 2) or set context param
>>
>> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
>>
>> to
>>
>> true
>>
>>
>>
>>
>> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
>>> If i use
>>> outputStylesheet library="css" name="my.css" (in my h:head tag) works ok
>>> with this structure folder
>>> resources/
>>> css/
>>> my.css
>>>
>>>
>>> But if i create an other folder into css this stop to work
>>> resources/
>>> css/
>>> test/
>>> my.css
>>>
>>> outputStylesheet library="css/test" name="my.css" (in my h:head tag) this
>>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
>>>
>>> Is this a bug??
>>
>>
Re: h:outputStylesheet
Posted by José Luis Cetina <ma...@gmail.com>.
Ok, thanks
2012/6/13 Leonardo Uribe <lu...@gmail.com>
> Hi
>
> Older versions of MyFaces (Core 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5)
> has the problem. Update to 2.1.6/2.0.12 or upper version fixes the
> problem. See CVE-2011-4367 for details.
>
> regards,
>
> Leonardo Uribe
>
> 2012/6/13 José Luis Cetina <ma...@gmail.com>:
> > And What about the mentioned security hole? This applied for older
> versions
> > of myfaces?
> > El 13/06/2012 02:41, "Leonardo Uribe" <lu...@gmail.com> escribió:
> >
> >> Hi
> >>
> >> The param was introduced because according to the spec, "/" is not
> >> allowed in libraryName. Enable it does not cause any problem. No need
> >> to worry about it.
> >>
> >> regards,
> >>
> >> Leonardo Uribe
> >>
> >> 2012/6/12 Mike Kienenberger <mk...@gmail.com>:
> >> > See issue https://issues.apache.org/jira/browse/MYFACES-3454
> >> >
> >> > It's not a good idea to change the behavior back. It introduces a
> >> > security hole.
> >> >
> >> >
> >>
> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E
> >> >
> >> >
> >> > On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
> >> > <ma...@gmail.com> wrote:
> >> >> Hi,
> >> >>
> >> >> it is not possible to use / in library name. Try
> >> >>
> >> >> 1) outputStylesheet library="css" name="test/my.css"
> >> >>
> >> >> 2) or set context param
> >> >>
> >> >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
> >> >>
> >> >> to
> >> >>
> >> >> true
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
> >> >>> If i use
> >> >>> outputStylesheet library="css" name="my.css" (in my h:head tag)
> works
> >> ok
> >> >>> with this structure folder
> >> >>> resources/
> >> >>> css/
> >> >>> my.css
> >> >>>
> >> >>>
> >> >>> But if i create an other folder into css this stop to work
> >> >>> resources/
> >> >>> css/
> >> >>> test/
> >> >>> my.css
> >> >>>
> >> >>> outputStylesheet library="css/test" name="my.css" (in my h:head
> tag)
> >> this
> >> >>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
> >> >>>
> >> >>> Is this a bug??
> >> >>
> >> >>
> >>
>
--
-------------------------------------------------------------------
*SCJA. José Luis Cetina*
-------------------------------------------------------------------
Re: h:outputStylesheet
Posted by Leonardo Uribe <lu...@gmail.com>.
Hi
Older versions of MyFaces (Core 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5)
has the problem. Update to 2.1.6/2.0.12 or upper version fixes the
problem. See CVE-2011-4367 for details.
regards,
Leonardo Uribe
2012/6/13 José Luis Cetina <ma...@gmail.com>:
> And What about the mentioned security hole? This applied for older versions
> of myfaces?
> El 13/06/2012 02:41, "Leonardo Uribe" <lu...@gmail.com> escribió:
>
>> Hi
>>
>> The param was introduced because according to the spec, "/" is not
>> allowed in libraryName. Enable it does not cause any problem. No need
>> to worry about it.
>>
>> regards,
>>
>> Leonardo Uribe
>>
>> 2012/6/12 Mike Kienenberger <mk...@gmail.com>:
>> > See issue https://issues.apache.org/jira/browse/MYFACES-3454
>> >
>> > It's not a good idea to change the behavior back. It introduces a
>> > security hole.
>> >
>> >
>> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E
>> >
>> >
>> > On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
>> > <ma...@gmail.com> wrote:
>> >> Hi,
>> >>
>> >> it is not possible to use / in library name. Try
>> >>
>> >> 1) outputStylesheet library="css" name="test/my.css"
>> >>
>> >> 2) or set context param
>> >>
>> >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
>> >>
>> >> to
>> >>
>> >> true
>> >>
>> >>
>> >>
>> >>
>> >> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
>> >>> If i use
>> >>> outputStylesheet library="css" name="my.css" (in my h:head tag) works
>> ok
>> >>> with this structure folder
>> >>> resources/
>> >>> css/
>> >>> my.css
>> >>>
>> >>>
>> >>> But if i create an other folder into css this stop to work
>> >>> resources/
>> >>> css/
>> >>> test/
>> >>> my.css
>> >>>
>> >>> outputStylesheet library="css/test" name="my.css" (in my h:head tag)
>> this
>> >>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
>> >>>
>> >>> Is this a bug??
>> >>
>> >>
>>
Re: h:outputStylesheet
Posted by José Luis Cetina <ma...@gmail.com>.
And What about the mentioned security hole? This applied for older versions
of myfaces?
El 13/06/2012 02:41, "Leonardo Uribe" <lu...@gmail.com> escribió:
> Hi
>
> The param was introduced because according to the spec, "/" is not
> allowed in libraryName. Enable it does not cause any problem. No need
> to worry about it.
>
> regards,
>
> Leonardo Uribe
>
> 2012/6/12 Mike Kienenberger <mk...@gmail.com>:
> > See issue https://issues.apache.org/jira/browse/MYFACES-3454
> >
> > It's not a good idea to change the behavior back. It introduces a
> > security hole.
> >
> >
> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E
> >
> >
> > On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
> > <ma...@gmail.com> wrote:
> >> Hi,
> >>
> >> it is not possible to use / in library name. Try
> >>
> >> 1) outputStylesheet library="css" name="test/my.css"
> >>
> >> 2) or set context param
> >>
> >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
> >>
> >> to
> >>
> >> true
> >>
> >>
> >>
> >>
> >> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
> >>> If i use
> >>> outputStylesheet library="css" name="my.css" (in my h:head tag) works
> ok
> >>> with this structure folder
> >>> resources/
> >>> css/
> >>> my.css
> >>>
> >>>
> >>> But if i create an other folder into css this stop to work
> >>> resources/
> >>> css/
> >>> test/
> >>> my.css
> >>>
> >>> outputStylesheet library="css/test" name="my.css" (in my h:head tag)
> this
> >>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
> >>>
> >>> Is this a bug??
> >>
> >>
>
Re: h:outputStylesheet
Posted by Leonardo Uribe <lu...@gmail.com>.
Hi
The param was introduced because according to the spec, "/" is not
allowed in libraryName. Enable it does not cause any problem. No need
to worry about it.
regards,
Leonardo Uribe
2012/6/12 Mike Kienenberger <mk...@gmail.com>:
> See issue https://issues.apache.org/jira/browse/MYFACES-3454
>
> It's not a good idea to change the behavior back. It introduces a
> security hole.
>
> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E
>
>
> On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
> <ma...@gmail.com> wrote:
>> Hi,
>>
>> it is not possible to use / in library name. Try
>>
>> 1) outputStylesheet library="css" name="test/my.css"
>>
>> 2) or set context param
>>
>> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
>>
>> to
>>
>> true
>>
>>
>>
>>
>> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
>>> If i use
>>> outputStylesheet library="css" name="my.css" (in my h:head tag) works ok
>>> with this structure folder
>>> resources/
>>> css/
>>> my.css
>>>
>>>
>>> But if i create an other folder into css this stop to work
>>> resources/
>>> css/
>>> test/
>>> my.css
>>>
>>> outputStylesheet library="css/test" name="my.css" (in my h:head tag) this
>>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
>>>
>>> Is this a bug??
>>
>>
Re: h:outputStylesheet
Posted by Mike Kienenberger <mk...@gmail.com>.
See issue https://issues.apache.org/jira/browse/MYFACES-3454
It's not a good idea to change the behavior back. It introduces a
security hole.
http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E
On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
<ma...@gmail.com> wrote:
> Hi,
>
> it is not possible to use / in library name. Try
>
> 1) outputStylesheet library="css" name="test/my.css"
>
> 2) or set context param
>
> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
>
> to
>
> true
>
>
>
>
> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
>> If i use
>> outputStylesheet library="css" name="my.css" (in my h:head tag) works ok
>> with this structure folder
>> resources/
>> css/
>> my.css
>>
>>
>> But if i create an other folder into css this stop to work
>> resources/
>> css/
>> test/
>> my.css
>>
>> outputStylesheet library="css/test" name="my.css" (in my h:head tag) this
>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
>>
>> Is this a bug??
>
>
Re: h:outputStylesheet
Posted by Martin Koci <ma...@gmail.com>.
Hi,
it is not possible to use / in library name. Try
1) outputStylesheet library="css" name="test/my.css"
2) or set context param
org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
to
true
José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
> If i use
> outputStylesheet library="css" name="my.css" (in my h:head tag) works ok
> with this structure folder
> resources/
> css/
> my.css
>
>
> But if i create an other folder into css this stop to work
> resources/
> css/
> test/
> my.css
>
> outputStylesheet library="css/test" name="my.css" (in my h:head tag) this
> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
>
> Is this a bug??
Re: h:outputStylesheet
Posted by Thomas Andraschko <zo...@googlemail.com>.
Hi,
don't know exactly anymore but could you try:
outputStylesheet library="css" name="test/my.css" ?
Regards,
Thomas
2012/6/12 José Luis Cetina <ma...@gmail.com>
> If i use
> outputStylesheet library="css" name="my.css" (in my h:head tag) works ok
> with this structure folder
> resources/
> css/
> my.css
>
>
> But if i create an other folder into css this stop to work
> resources/
> css/
> test/
> my.css
>
> outputStylesheet library="css/test" name="my.css" (in my h:head tag) this
> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes.
>
> Is this a bug??
>