[MYFACES-3405] includeViewParameters re-evaluates param/model values as EL expressions - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.1.3
Fix Version/s: 2.0.11, 2.1.5
Component/s: None
Labels:
None
Environment:
MyFaces 2.1.3

Description

I just wanted to make you aware of the following security issue in conjunction with the includeViewParameters navigation parameter. It seems it is also reproducible with MyFaces:

http://java.net/jira/browse/JAVASERVERFACES-2247

I'm not sure which workaround would be best in accordance with the Spec, but at least a quick fix might be worth considering to improve the security of the default behavior.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

MYFACES-3405-1.patch
22/Nov/11 21:52
16 kB
Leonardo Uribe

Activity

People

Assignee:: Leonardo Uribe

Reporter:: Frederick Kämpfer

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 22/Nov/11 11:31

Updated:: 23/Nov/11 02:21

Resolved:: 22/Nov/11 22:41