[BEEHIVE-1069] Exposed Properties on PageFlowController can be set by hidden fields in a form - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Blocker
Resolution: Fixed
Affects Version/s: 1.0.1
Fix Version/s: 1.0.2
Component/s: NetUI
Labels:
None

Description

I have the following form that change the forward path to /bar.jsp

<netui:form action="submit">
<netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
<netui:button value="submit" />
</netui:form>

I also have the following action in my page flow.

@Jpf.Action(
forwards=

{ @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage) }

)
protected Forward submit(Form form)

{ return new Forward("index"); }

If the current page is index.jsp, this should navigate back to that, when the form is submitted it will navigate to bar.jsp. In my mind this is actually a security hole. I can dynamically change the navigation externally in this situation. I haven't played around with the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same JavaBean that is not immutable.

I'm going to open a Jiri bug on this. I think this is critical and needs to be fixed now. My suggestion is that we rename these methods on the PageFlowController so they aren't picked up as JavaBean properties.

I suggest we do this to:

currentPageInfo
previousPageInfo
previousActionInfo
modeulConfig
actions

We need to spin a new release on this.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

servletUpdate.zip
18/Feb/06 03:26
1 kB
Daryl Olander

Activity

People

Assignee:: Julie Zhuo

Reporter:: Daryl Olander

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 18/Feb/06 03:14

Updated:: 04/Apr/06 03:28

Resolved:: 22/Feb/06 09:02