You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@myfaces.apache.org by "Kennard Consulting (JIRA)" <de...@myfaces.apache.org> on 2009/02/11 02:39:59 UTC

[jira] Created: (TOMAHAWK-1391) Inserting into HTML output is potential security problem

Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security problem
------------------------------------------------------------------------------------

                 Key: TOMAHAWK-1391
                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
             Project: MyFaces Tomahawk
          Issue Type: Improvement
          Components: ExtensionsFilter
    Affects Versions: 1.1.8
            Reporter: Kennard Consulting
            Priority: Minor


A recommended practice to security 'hardening' a Web site is to divulge as little architectual information as possible. For example, we suppress the X-Server HTTP header so you don't know what server we are using. We map '*.jsf' to something else so you can't tell we're using JSF. 

However, one giveaway is that in org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method getCodeBeforeBodyEnd(), around line 111, there is the line:

   return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";

This always outputs 'MYFACES' into the HTML whenever the ExtensionsPhaseListener is used (even if there is no actual JavaScript being output). I would like to see this line change to simply...

   return writerWrapper.toString();

Which would not give away we are using JSF.


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Resolved: (TOMAHAWK-1391) Inserting into HTML output is potential security problem

Posted by "Leonardo Uribe (JIRA)" <de...@myfaces.apache.org>.

     [ https://issues.apache.org/jira/browse/TOMAHAWK-1391?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leonardo Uribe resolved TOMAHAWK-1391.
--------------------------------------

       Resolution: Fixed
    Fix Version/s: 1.1.9-SNAPSHOT
         Assignee: Leonardo Uribe

Omit this string from response does not harm, so I just remove it as suggested.

> Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security problem
> ------------------------------------------------------------------------------------
>
>                 Key: TOMAHAWK-1391
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
>             Project: MyFaces Tomahawk
>          Issue Type: Improvement
>          Components: ExtensionsFilter
>    Affects Versions: 1.1.8
>            Reporter: Kennard Consulting
>            Assignee: Leonardo Uribe
>            Priority: Minor
>             Fix For: 1.1.9-SNAPSHOT
>
>   Original Estimate: 0.17h
>  Remaining Estimate: 0.17h
>
> A recommended practice to security 'hardening' a Web site is to divulge as little architectual information as possible. For example, we suppress the X-Server HTTP header so you don't know what server we are using. We map '*.jsf' to something else so you can't tell we're using JSF. 
> However, one giveaway is that in org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method getCodeBeforeBodyEnd(), around line 111, there is the line:
>    return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";
> This always outputs 'MYFACES' into the HTML whenever the ExtensionsPhaseListener is used (even if there is no actual JavaScript being output). I would like to see this line change to simply...
>    return writerWrapper.toString();
> Which would not give away we are using JSF.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (TOMAHAWK-1391) Inserting into HTML output is potential security problem

Posted by "Kennard Consulting (JIRA)" <de...@myfaces.apache.org>.

    [ https://issues.apache.org/jira/browse/TOMAHAWK-1391?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713420#action_12713420 ] 

Kennard Consulting commented on TOMAHAWK-1391:
----------------------------------------------

Awesome. Thanks Leonardo. I look forward to the next release!


> Inserting <!-- MYFACES JAVASCRIPT --> into HTML output is potential security problem
> ------------------------------------------------------------------------------------
>
>                 Key: TOMAHAWK-1391
>                 URL: https://issues.apache.org/jira/browse/TOMAHAWK-1391
>             Project: MyFaces Tomahawk
>          Issue Type: Improvement
>          Components: ExtensionsFilter
>    Affects Versions: 1.1.8
>            Reporter: Kennard Consulting
>            Assignee: Leonardo Uribe
>            Priority: Minor
>             Fix For: 1.1.9-SNAPSHOT
>
>   Original Estimate: 0.17h
>  Remaining Estimate: 0.17h
>
> A recommended practice to security 'hardening' a Web site is to divulge as little architectual information as possible. For example, we suppress the X-Server HTTP header so you don't know what server we are using. We map '*.jsf' to something else so you can't tell we're using JSF. 
> However, one giveaway is that in org.apache.myfaces.renderkit.html.util.ExtensionsPhaseListener.java, method getCodeBeforeBodyEnd(), around line 111, there is the line:
>    return "<!-- MYFACES JAVASCRIPT -->\n"+writerWrapper.toString()+"\n";
> This always outputs 'MYFACES' into the HTML whenever the ExtensionsPhaseListener is used (even if there is no actual JavaScript being output). I would like to see this line change to simply...
>    return writerWrapper.toString();
> Which would not give away we are using JSF.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.