myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "lantian (JIRA)" <myfaces-...@incubator.apache.org>
Subject [jira] Created: (MYFACES-302) there's a very seriously security problem in myfaces but not found in SUN's RI.
Date Mon, 04 Jul 2005 09:11:11 GMT
there's a very seriously security  problem in myfaces but not found in SUN's RI.
--------------------------------------------------------------------------------

         Key: MYFACES-302
         URL: http://issues.apache.org/jira/browse/MYFACES-302
     Project: MyFaces
        Type: Bug
    Versions: 1.0.9 beta    
 Environment: JDK  1.4.2
TOMCAT 5.0.28
    Reporter: lantian
    Priority: Critical


step1 : i set  "true" to   disabled property of inputText named input1 and commandButton named
button1 in designe time.

step2 : i view the page with firefox browser ,and i can not modify the data of  input1 and
can not click button1    of course .

step3:   i change the disable property of input1 and button1 to "false" in the page with Dom
inspector tool    supplied by firefox.

step4:  now ,i can modify the data of  input1  and can click button1 .i find that the new
data was submit to the     server and the  ation of button1  was invoked.

          it  means that  the disable property of myfaces components can not  work securely.
          I make the same test with SUN's RI, it works well.


-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira


Mime
View raw message