Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-3405

includeViewParameters re-evaluates param/model values as EL expressions

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.3
    • Fix Version/s: 2.0.11, 2.1.5
    • Component/s: None
    • Labels:
      None
    • Environment:
      MyFaces 2.1.3

      Description

      I just wanted to make you aware of the following security issue in conjunction with the includeViewParameters navigation parameter. It seems it is also reproducible with MyFaces:

      http://java.net/jira/browse/JAVASERVERFACES-2247

      I'm not sure which workaround would be best in accordance with the Spec, but at least a quick fix might be worth considering to improve the security of the default behavior.

        Attachments

        1. MYFACES-3405-1.patch
          16 kB
          Leonardo Uribe

          Activity

            People

            • Assignee:
              lu4242 Leonardo Uribe
              Reporter:
              fkaempfer Frederick Kämpfer
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: