deltaspike-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gpetra...@apache.org
Subject git commit: DELTASPIKE-752 additional check to avoid issues with custom client-window implementation
Date Sat, 25 Oct 2014 19:44:31 GMT
Repository: deltaspike
Updated Branches:
  refs/heads/master 167b7bcf2 -> 5ce25042d


DELTASPIKE-752 additional check to avoid issues with custom client-window implementation


Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo
Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/5ce25042
Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/5ce25042
Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/5ce25042

Branch: refs/heads/master
Commit: 5ce25042de5cfa3089b60df66ff08390deb2b785
Parents: 167b7bc
Author: gpetracek <gpetracek@apache.org>
Authored: Sat Oct 25 21:43:32 2014 +0200
Committer: gpetracek <gpetracek@apache.org>
Committed: Sat Oct 25 21:43:32 2014 +0200

----------------------------------------------------------------------
 .../jsf/impl/component/window/WindowIdHtmlRenderer.java   | 10 ++++++++++
 .../jsf/impl/scope/window/DefaultClientWindow.java        |  6 +++---
 2 files changed, 13 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/deltaspike/blob/5ce25042/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
index cab4d26..e995ff8 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
@@ -30,6 +30,7 @@ import javax.servlet.http.Cookie;
 
 import org.apache.deltaspike.core.api.provider.BeanProvider;
 import org.apache.deltaspike.core.spi.scope.window.WindowContext;
+import org.apache.deltaspike.jsf.impl.scope.window.DefaultClientWindow;
 import org.apache.deltaspike.jsf.impl.util.ClientWindowHelper;
 import org.apache.deltaspike.jsf.spi.scope.window.ClientWindowConfig;
 
@@ -56,6 +57,15 @@ public class WindowIdHtmlRenderer extends Renderer
         super.encodeBegin(context, component);
 
         String windowId = getWindowContext().getCurrentWindowId();
+
+        //already ensured by DefaultClientWindow
+        //just to ensure that we don't get a security issue in case of a customized client-window
implementation
+        //will never happen usually -> no real overhead
+        if (windowId != null && windowId.length() > DefaultClientWindow.SECURE_ID_LENGTH)
+        {
+            windowId = windowId.substring(0, DefaultClientWindow.SECURE_ID_LENGTH);
+        }
+
         String mode = getClientWindowConfig().getClientWindowRenderMode(context).name();
 
         ResponseWriter writer = context.getResponseWriter();

http://git-wip-us.apache.org/repos/asf/deltaspike/blob/5ce25042/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java
----------------------------------------------------------------------
diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java
b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java
index 9d0bc8c..2767b69 100644
--- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java
+++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java
@@ -69,6 +69,9 @@ public class DefaultClientWindow implements ClientWindow
      */
     public static final String DELTASPIKE_WINDOW_ID_URL_PARAM = "dswid";
 
+    /*enough for the integer generated by #generateNewWindowId - see DELTASPIKE-752 */
+    public static final int SECURE_ID_LENGTH = 10;
+
     private static final String PER_USE_CLIENT_WINDOW_URL_QUERY_PARAMETER_DISABLED_KEY =
             ClientWindow.class.getName() + ".ClientWindowRenderModeEnablement";
 
@@ -96,9 +99,6 @@ public class DefaultClientWindow implements ClientWindow
     private static final String CACHE_QUERY_URL_PARAMETERS =
             "CACHE:" + DefaultClientWindow.class + "#getQueryURLParameters";
 
-    /*enough for the integer generated by #generateNewWindowId - see DELTASPIKE-752 */
-    private static final int SECURE_ID_LENGTH = 10;
-
     @Inject
     private ClientWindowConfig clientWindowConfig;
 


Mime
View raw message