Issue Details (XML | Word | Printable)

Key: BEEHIVE-1069
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Blocker Blocker
Assignee: Julie Zhuo
Reporter: Daryl Olander
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Beehive

Exposed Properties on PageFlowController can be set by hidden fields in a form

Created: 18/Feb/06 03:14 AM   Updated: 04/Apr/06 03:28 AM
Return to search
Component/s: NetUI
Affects Version/s: 1.0.1
Fix Version/s: 1.0.2

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Zip Archive Licensed for inclusion in ASF works servletUpdate.zip 2006-02-18 03:26 AM Daryl Olander 1 kB

Resolution Date: 22/Feb/06 09:02 AM


 Description  « Hide
I have the following form that change the forward path to /bar.jsp

  <netui:form action="submit">
    <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
    <netui:button value="submit" />
  </netui:form>

I also have the following action in my page flow.

    @Jpf.Action(
        forwards={
           @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
        }
    )
    protected Forward submit(Form form)
    {
        return new Forward("index");
    }

If the current page is index.jsp, this should navigate back to that, when the form is submitted it will navigate to bar.jsp. In my mind this is actually a security hole. I can dynamically change the navigation externally in this situation. I haven't played around with the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the same JavaBean that is not immutable.

I'm going to open a Jiri bug on this. I think this is critical and needs to be fixed now. My suggestion is that we rename these methods on the PageFlowController so they aren't picked up as JavaBean properties.

I suggest we do this to:

currentPageInfo
previousPageInfo
previousActionInfo
modeulConfig
actions

We need to spin a new release on this.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Daryl Olander added a comment - 18/Feb/06 03:26 AM
Add a page flow that demonstrates the error

Daryl Olander made changes - 18/Feb/06 03:26 AM
Field Original Value New Value
Attachment servletUpdate.zip [ 12323126 ]
[ Permlink | « Hide ]
Carlin Rogers added a comment - 22/Feb/06 09:02 AM
Daryl fixed this with svn revision 378742. http://svn.apache.org/viewcvs?rev=378742&view=rev

For more implementation details, see the log of his commit.

Carlin Rogers made changes - 22/Feb/06 09:02 AM
Assignee Carlin Rogers [ crogers ] Alejandro Ramirez [ alramire ]
Fix Version/s v.next [ 12310718 ]
Fix Version/s 1.0.1 [ 12310717 ]
Resolution Fixed [ 1 ]
Status Open [ 1 ] Resolved [ 5 ]
Alejandro Ramirez made changes - 04/Apr/06 03:28 AM
Assignee Alejandro Ramirez [ alramire ] Julie Zhuo [ jzhuo ]

Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators