beehive-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryl Olander (JIRA)" <...@beehive.apache.org>
Subject [jira] Updated: (BEEHIVE-1069) Exposed Properties on PageFlowController can be set by hidden fields in a form
Date Fri, 17 Feb 2006 18:27:26 GMT
     [ http://issues.apache.org/jira/browse/BEEHIVE-1069?page=all ]

Daryl Olander updated BEEHIVE-1069:
-----------------------------------

    Attachment: servletUpdate.zip

Add  a page flow that demonstrates the error

> Exposed Properties on PageFlowController can be set by  hidden fields in a form
> -------------------------------------------------------------------------------
>
>          Key: BEEHIVE-1069
>          URL: http://issues.apache.org/jira/browse/BEEHIVE-1069
>      Project: Beehive
>         Type: Bug
>   Components: NetUI
>     Versions: 1.0.1
>     Reporter: Daryl Olander
>     Assignee: Carlin Rogers
>     Priority: Blocker
>      Fix For: 1.0.1
>  Attachments: servletUpdate.zip
>
> I have the following form that change the forward path to /bar.jsp
>   <netui:form action="submit">
>     <netui:hidden dataSource="pageFlow.currentPageInfo.forward.path " dataInput="/bar.jsp"/>
>     <netui:button value="submit" />
>   </netui:form>
> I also have the following action in my page flow.
>     @Jpf.Action(
>         forwards={
>            @Jpf.Forward(name="index", navigateTo = Jpf.NavigateTo.currentPage)
>         }
>     )
>     protected Forward submit(Form form)
>     {
>         return new Forward("index");
>     }
> If the current page is index.jsp, this should navigate back to that, when the form is
submitted it will navigate to bar.jsp.  In my mind this is actually a security hole.  I can
dynamically change the navigation externally in this situation.  I haven't played around with
the other exposed properties (currentPageInfo, previousPageInfo, previousActionInfo) all expose
the same JavaBean that is not immutable.
> I'm going to open a Jiri bug on this.  I think this is critical and needs to be fixed
now.  My suggestion is that we rename these methods on the PageFlowController so they aren't
picked up as JavaBean properties.
> I suggest we do this to:
> currentPageInfo
> previousPageInfo
> previousActionInfo
> modeulConfig
> actions
> We need to spin a new release on this.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message