You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Yee-Wah Lee (JIRA)" <de...@myfaces.apache.org> on 2008/11/12 02:23:44 UTC

[jira] Commented: (TRINIDAD-1258) GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet

    [ https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12646767#action_12646767 ] 

Yee-Wah Lee commented on TRINIDAD-1258:
---------------------------------------

Uploading patch for 1.1 and 1.2 trunks that:
- Verifies that the language and country arguments used in creating a Locale object (constructor takes language, country, variant) are valid per Javadoc standards before creating it. For variant, it is vendor-specific, it just checks for slashes and rejects them due to XSS. 
- logs warning if any of the arguments fail to pass, and uses default or empty
- Fixes NamedLocaleInfoScriptlet to work with the change. In the original TRINIDAD-797 fix, it would add the argument in getLibraryURL but with the fix added by TRINIDAD-879, there were two '?' delimiters in the request. The skipTranslations argument was mangled with the locale argument so the code to retrieve the Locale would fail (since the language code was > 2 characters) and the requested locale was not loaded. The fix is to override addExtraParams() and add the additional parameter correctly. 

> GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-1258
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>          Components: Components
>    Affects Versions: 1.2.9-core
>            Reporter: Yee-Wah Lee
>            Assignee: Matthias Weßendorf
>            Priority: Critical
>         Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties 
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.