cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sergey Beryozkin (JIRA)" <j...@apache.org>
Subject [jira] Commented: (CXF-3390) Field value from previous request is recycled when field is absent in new request
Date Thu, 10 Mar 2011 17:29:59 GMT

    [ https://issues.apache.org/jira/browse/CXF-3390?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13005186#comment-13005186
] 

Sergey Beryozkin commented on CXF-3390:
---------------------------------------

for the injection in CGLIB proxies to work well you might to try injecting via methods, you
may want to try introducing a dedicated interface with those setters and the injection should
work. Otherwise with Spring mixing all sort of proxies, the field injection probably won't
work 

> Field value from previous request is recycled when field is absent in new request
> ---------------------------------------------------------------------------------
>
>                 Key: CXF-3390
>                 URL: https://issues.apache.org/jira/browse/CXF-3390
>             Project: CXF
>          Issue Type: Bug
>          Components: JAX-RS
>    Affects Versions: 2.4
>            Reporter: Ben Noordhuis
>            Priority: Critical
>
> This was tested against 2.3.1 and HEAD.
> Consider this class:
> {code}
> @Path("/test")
> public class Test {
>   @QueryParam("q") private String q;
>   @GET
>   public void test() {
>     System.err.println(q);
>   }
> }
> {code}
> Now consider this test case:
> {noformat}
> $ curl http://localhost:8080/test       # prints "null"
> $ curl http://localhost:8080/test?q=foo # prints "foo"
> $ curl http://localhost:8080/test       # prints "foo" !
> {noformat}
> This is a serious bug because it leaks information. It's not specific to @QueryParam,
the other annotations have the same problem.
> I discovered it in a resource that is used for authentication: after logging in once,
I could log in again without providing a username and password!

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message