cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Noordhuis (JIRA)" <j...@apache.org>
Subject [jira] Created: (CXF-3390) Field value from previous request is recycled when field is absent in new request
Date Thu, 10 Mar 2011 00:02:59 GMT
Field value from previous request is recycled when field is absent in new request
---------------------------------------------------------------------------------

                 Key: CXF-3390
                 URL: https://issues.apache.org/jira/browse/CXF-3390
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS
    Affects Versions: 2.4
            Reporter: Ben Noordhuis
            Priority: Critical


This was tested against 2.3.1 and HEAD.

Consider this class:
{code}
@Path("/test")
public class Test {
  @QueryParam("q") private String q;

  @GET
  public void test() {
    System.err.println(q);
  }
}
{code}
Now consider this test case:
{noformat}
$ curl http://localhost:8080/test       # prints "null"
$ curl http://localhost:8080/test?q=foo # prints "foo"
$ curl http://localhost:8080/test       # prints "foo" !
{noformat}
This is a serious bug because it leaks information. It's not specific to @QueryParam, the
other annotations have the same problem.

I discovered it in a resource that is used for authentication: after logging in once, I could
log in again without providing a username and password!

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message