Return-Path: X-Original-To: apmail-myfaces-dev-archive@www.apache.org Delivered-To: apmail-myfaces-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0A43D9B34 for ; Tue, 22 Nov 2011 22:11:04 +0000 (UTC) Received: (qmail 18820 invoked by uid 500); 22 Nov 2011 22:11:02 -0000 Delivered-To: apmail-myfaces-dev-archive@myfaces.apache.org Received: (qmail 18194 invoked by uid 500); 22 Nov 2011 22:11:01 -0000 Mailing-List: contact dev-help@myfaces.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "MyFaces Development" Delivered-To: mailing list dev@myfaces.apache.org Received: (qmail 18187 invoked by uid 99); 22 Nov 2011 22:11:01 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Nov 2011 22:11:01 +0000 X-ASF-Spam-Status: No, hits=-2001.2 required=5.0 tests=ALL_TRUSTED,RP_MATCHES_RCVD X-Spam-Check-By: apache.org Received: from [140.211.11.116] (HELO hel.zones.apache.org) (140.211.11.116) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 22 Nov 2011 22:11:00 +0000 Received: from hel.zones.apache.org (hel.zones.apache.org [140.211.11.116]) by hel.zones.apache.org (Postfix) with ESMTP id 00B9898D5C for ; Tue, 22 Nov 2011 22:10:40 +0000 (UTC) Date: Tue, 22 Nov 2011 22:10:39 +0000 (UTC) From: "Jakob Korherr (Commented) (JIRA)" To: dev@myfaces.apache.org Message-ID: <72547687.4106.1321999840004.JavaMail.tomcat@hel.zones.apache.org> In-Reply-To: <335909298.2118.1321961560492.JavaMail.tomcat@hel.zones.apache.org> Subject: [jira] [Commented] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/MYFACES-3405?page=3Dcom.atlassi= an.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D13= 155485#comment-13155485 ]=20 Jakob Korherr commented on MYFACES-3405: ---------------------------------------- The patch looks good, +1 on committing. Have you tried it with http://code.google.com/a/apache-extras.org/p/jsf-inc= ludeviewparams-security-hole-example/ ? Regards, Jakob =20 > includeViewParameters re-evaluates param/model values as EL expressions > ----------------------------------------------------------------------- > > Key: MYFACES-3405 > URL: https://issues.apache.org/jira/browse/MYFACES-3405 > Project: MyFaces Core > Issue Type: Bug > Affects Versions: 2.1.3 > Environment: MyFaces 2.1.3 > Reporter: Frederick K=C3=A4mpfer > Attachments: MYFACES-3405-1.patch > > > I just wanted to make you aware of the following security issue in conjun= ction with the includeViewParameters navigation parameter. It seems it is a= lso reproducible with MyFaces: > http://java.net/jira/browse/JAVASERVERFACES-2247 > I'm not sure which workaround would be best in accordance with the Spec, = but at least a quick fix might be worth considering to improve the security= of the default behavior. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrato= rs: https://issues.apache.org/jira/secure/ContactAdministrators!default.jsp= a For more information on JIRA, see: http://www.atlassian.com/software/jira