[CXF-3390] Field value from previous request is recycled when field is absent in new request - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 2.4
Fix Version/s: 2.4
Component/s: JAX-RS
Labels:
None

Description

This was tested against 2.3.1 and HEAD.

Consider this class:

@Path("/test")
public class Test {
  @QueryParam("q") private String q;

  @GET
  public void test() {
    System.err.println(q);
  }
}

Now consider this test case:

$ curl http://localhost:8080/test       # prints "null"
$ curl http://localhost:8080/test?q=foo # prints "foo"
$ curl http://localhost:8080/test       # prints "foo" !

This is a serious bug because it leaks information. It's not specific to @QueryParam, the other annotations have the same problem.

I discovered it in a resource that is used for authentication: after logging in once, I could log in again without providing a username and password!

Attachments

Activity

People

Assignee:: Sergey Beryozkin

Reporter:: Ben Noordhuis

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 10/Mar/11 00:01

Updated:: 18/Apr/11 12:50

Resolved:: 10/Mar/11 17:40