Return-Path: Delivered-To: apmail-geronimo-dev-archive@www.apache.org Received: (qmail 27714 invoked from network); 26 Aug 2008 19:53:36 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 26 Aug 2008 19:53:36 -0000 Received: (qmail 61823 invoked by uid 500); 26 Aug 2008 19:53:33 -0000 Delivered-To: apmail-geronimo-dev-archive@geronimo.apache.org Received: (qmail 61765 invoked by uid 500); 26 Aug 2008 19:53:33 -0000 Mailing-List: contact dev-help@geronimo.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: dev@geronimo.apache.org List-Id: Delivered-To: mailing list dev@geronimo.apache.org Received: (qmail 61753 invoked by uid 99); 26 Aug 2008 19:53:33 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 12:53:33 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.140] (HELO brutus.apache.org) (140.211.11.140) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Aug 2008 19:52:44 +0000 Received: from brutus (localhost [127.0.0.1]) by brutus.apache.org (Postfix) with ESMTP id 39979234C1AC for ; Tue, 26 Aug 2008 12:52:44 -0700 (PDT) Message-ID: <286603323.1219780364221.JavaMail.jira@brutus> Date: Tue, 26 Aug 2008 12:52:44 -0700 (PDT) From: "Donald Woods (JIRA)" To: dev@geronimo.apache.org Subject: [jira] Commented: (GERONIMO-4266) Upgrade to DWR 2.0.5 for XSS security fix In-Reply-To: <1063676223.1219779164450.JavaMail.jira@brutus> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org [ https://issues.apache.org/jira/browse/GERONIMO-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12625839#action_12625839 ] Donald Woods commented on GERONIMO-4266: ---------------------------------------- r689182 in branches/2.1 (2.1.3-SNAPSHOT) r689188 in trunk (2.2-SNAPSHOT) > Upgrade to DWR 2.0.5 for XSS security fix > ----------------------------------------- > > Key: GERONIMO-4266 > URL: https://issues.apache.org/jira/browse/GERONIMO-4266 > Project: Geronimo > Issue Type: Bug > Security Level: public(Regular issues) > Components: dependencies > Affects Versions: 2.0, 2.0.1, 2.0.2, 2.0.3, 2.1, 2.1.1, 2.1.2, 2.1.3, 2.2 > Reporter: Donald Woods > Assignee: Donald Woods > Fix For: 2.0.3, 2.1.3, 2.2 > > > Need to upgrade to DWR 2.0.5 for the following fix - > ------------------------------------------------------------------------ > r2077 | joe | 2008-06-22 09:28:22 -0400 (Sun, 22 Jun 2008) | 7 lines > Fix for XSS issue in ExceptionHandler: > PartialResponse.fromOrdinal() throws a NumberFormatException trying to > parse the 'partialResponse' parameter. This exception is never caught, > prompting UrlProcessor to invoke DWR's default ExceptionHandler class, > which calls out.println(cause.getMessage()), thereby causing the XSS. > ------------------------------------------------------------------------ -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.