Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3390

Field value from previous request is recycled when field is absent in new request

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.4
    • Fix Version/s: 2.4
    • Component/s: JAX-RS
    • Labels:
      None

      Description

      This was tested against 2.3.1 and HEAD.

      Consider this class:

      @Path("/test")
      public class Test {
        @QueryParam("q") private String q;
      
        @GET
        public void test() {
          System.err.println(q);
        }
      }
      

      Now consider this test case:

      $ curl http://localhost:8080/test       # prints "null"
      $ curl http://localhost:8080/test?q=foo # prints "foo"
      $ curl http://localhost:8080/test       # prints "foo" !
      

      This is a serious bug because it leaks information. It's not specific to @QueryParam, the other annotations have the same problem.

      I discovered it in a resource that is used for authentication: after logging in once, I could log in again without providing a username and password!

        Attachments

          Activity

            People

            • Assignee:
              sergey_beryozkin Sergey Beryozkin
              Reporter:
              bnoordhuis Ben Noordhuis
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: