You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@deltaspike.apache.org by ta...@apache.org on 2015/07/22 21:06:11 UTC

deltaspike git commit: DELTASPIKE-963 Header injection due to unescaped key in JsfUtils

Repository: deltaspike
Updated Branches:
  refs/heads/master b463bcf59 -> 0b8924f75


DELTASPIKE-963 Header injection due to unescaped key in JsfUtils

Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/0b8924f7
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/0b8924f7
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/0b8924f7

Branch: refs/heads/master
Commit: 0b8924f7519e806c7246d620dce6da4bb3526dfd
Parents: b463bcf
Author: Thomas Andraschko <ta...@apache.org>
Authored: Wed Jul 22 21:06:03 2015 +0200
Committer: Thomas Andraschko <ta...@apache.org>
Committed: Wed Jul 22 21:06:03 2015 +0200

----------------------------------------------------------------------
 .../deltaspike/jsf/impl/util/JsfUtils.java      | 31 ++++++++++++++++++--
 1 file changed, 28 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/deltaspike/blob/0b8924f7/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/JsfUtils.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/JsfUtils.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/JsfUtils.java
index 248b766..9b6a0d7 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/JsfUtils.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/util/JsfUtils.java
@@ -117,7 +117,16 @@ public abstract class JsfUtils
                     {
                         finalUrl.append("&");
                     }
-                    finalUrl.append(key);
+                    
+                    if (encodeValues)
+                    {
+                        finalUrl.append(JsfUtils.encodeURLParameterValue(key, externalContext));
+                    }
+                    else
+                    {
+                        finalUrl.append(key);
+                    }
+
                     finalUrl.append("=");
 
                     if (encodeValues)
@@ -166,7 +175,15 @@ public abstract class JsfUtils
             finalUrl.append("?");
         }
 
-        finalUrl.append(name);
+        if (encodeValues)
+        {
+            finalUrl.append(JsfUtils.encodeURLParameterValue(name, externalContext));
+        }
+        else
+        {
+            finalUrl.append(name);
+        }
+
         finalUrl.append("=");
 
         if (encodeValues)
@@ -216,7 +233,15 @@ public abstract class JsfUtils
                         finalUrl.append("&");
                     }
 
-                    finalUrl.append(entry.getKey());
+                    if (encodeValues)
+                    {
+                        finalUrl.append(JsfUtils.encodeURLParameterValue(entry.getKey(), externalContext));
+                    }
+                    else
+                    {
+                        finalUrl.append(entry.getKey());
+                    }
+
                     finalUrl.append("=");
 
                     if (encodeValues)