Uploaded image for project: 'MyFaces Core'
  1. MyFaces Core
  2. MYFACES-3405

includeViewParameters re-evaluates param/model values as EL expressions

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.1.3
    • Fix Version/s: 2.0.11, 2.1.5
    • Component/s: None
    • Labels:
      None
    • Environment:
      MyFaces 2.1.3

      Description

      I just wanted to make you aware of the following security issue in conjunction with the includeViewParameters navigation parameter. It seems it is also reproducible with MyFaces:

      http://java.net/jira/browse/JAVASERVERFACES-2247

      I'm not sure which workaround would be best in accordance with the Spec, but at least a quick fix might be worth considering to improve the security of the default behavior.

        Attachments

          Activity

            People

            • Assignee:
              lu4242 Leonardo Uribe
              Reporter:
              fkaempfer Frederick Kämpfer

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment