You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "Colm O hEigeartaigh (JIRA)" <ji...@apache.org> on 2018/04/05 13:34:00 UTC
[jira] [Created] (CXF-7702) Remove methods in QueryContext that
don't use a custom bean class
Colm O hEigeartaigh created CXF-7702:
----------------------------------------
Summary: Remove methods in QueryContext that don't use a custom bean class
Key: CXF-7702
URL: https://issues.apache.org/jira/browse/CXF-7702
Project: CXF
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 3.2.5
The JAX-RS search QueryContext has some methods to return the converted search expression that don't take a bean parameter. This means that it's possible to inject parameters into the search query that are not defined as properties in the bean class, leading to potential injection attacks. Instead all methods should require a bean, similar to the SearchContext.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)