Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-3405

includeViewParameters re-evaluates param/model values as EL expressions

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.1.3
    • 2.0.11, 2.1.5
    • None
    • None
    • MyFaces 2.1.3

    Description

      I just wanted to make you aware of the following security issue in conjunction with the includeViewParameters navigation parameter. It seems it is also reproducible with MyFaces:

      http://java.net/jira/browse/JAVASERVERFACES-2247

      I'm not sure which workaround would be best in accordance with the Spec, but at least a quick fix might be worth considering to improve the security of the default behavior.

      Attachments

        1. MYFACES-3405-1.patch
          16 kB
          Leonardo Uribe

        Activity

          People

            lu4242 Leonardo Uribe
            fkaempfer Frederick Kämpfer
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: