cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Noordhuis (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-3390) Field value from previous request is recycled when field is absent in new request
Date Thu, 10 Mar 2011 14:29:59 GMT

    [ https://issues.apache.org/jira/browse/CXF-3390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13005076#comment-13005076
] 

Ben Noordhuis commented on CXF-3390:
------------------------------------

Thanks for the quick reply, Sergey.

I wouldn't expect this to work properly with true singletons but this issue also manifests
itself when the resource is thread-local scoped (through a Spring AOP proxy, couldn't get
CXF to wire up request-scoped beans). The resource is thread-safe, CXF can inject to its heart's
desire.

> Injecting request parameters (as opposed to contexts) is thread-unsafe.

Agreed. Is there a reason why the runtime allows this? Shouldn't it complain loudly?

> Field value from previous request is recycled when field is absent in new request
> ---------------------------------------------------------------------------------
>
>                 Key: CXF-3390
>                 URL: https://issues.apache.org/jira/browse/CXF-3390
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 2.4
>            Reporter: Ben Noordhuis
>            Priority: Critical
>
> This was tested against 2.3.1 and HEAD.
> Consider this class:
> {code}
> @Path("/test")
> public class Test {
>   @QueryParam("q") private String q;
>   @GET
>   public void test() {
>     System.err.println(q);
>   }
> }
> {code}
> Now consider this test case:
> {noformat}
> $ curl http://localhost:8080/test       # prints "null"
> $ curl http://localhost:8080/test?q=foo # prints "foo"
> $ curl http://localhost:8080/test       # prints "foo" !
> {noformat}
> This is a serious bug because it leaks information. It's not specific to @QueryParam,
the other annotations have the same problem.
> I discovered it in a resource that is used for authentication: after logging in once,
I could log in again without providing a username and password!

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message