beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryl Olander (JIRA)" <...@beehive.apache.org>
Subject [jira] Created: (BEEHIVE-1069) Exposed Properties on PageFlowController can be set by hidden fields in a form
Date Fri, 17 Feb 2006 18:15:25 GMT
Exposed Properties on PageFlowController can be set by  hidden fields in a form
-------------------------------------------------------------------------------

         Key: BEEHIVE-1069
         URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
     Project: Beehive
        Type: Bug
  Components: NetUI  
    Versions: 1.0.1    
    Reporter: Daryl Olander
 Assigned to: Carlin Rogers 
    Priority: Blocker
     Fix For: 1.0.1


I have the following form that change the forward path to /bar.jsp

  <netui:form action="submit">
    <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
    <netui:button value="submit" />
  </netui:form>

I also have the following action in my page flow.

    @Jpf.Action(
        forwards={
           @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
        }
    )
    protected Forward submit(Form form)
    {
        return new Forward("index");
    }

If the current page is index.jsp, this should navigate back to that, when the form is submitted
it will navigate to bar.jsp.  In my mind this is actually a security hole.  I can dynamically
change the navigation externally in this situation.  I haven't played around with the other
exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose the
same JavaBean that is not immutable.

I'm going to open a Jiri bug on this.  I think this is critical and needs to be fixed now.
 My suggestion is that we rename these methods on the PageFlowController so they aren't picked
up as JavaBean properties.

I suggest we do this to:

currentPageInfo
previousPageInfo
previousActionInfo
modeulConfig
actions

We need to spin a new release on this.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message