myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Kienenberger <mkien...@gmail.com>
Subject INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME docs needs security warning? [Was: svn commit: r1238687 - /myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java]
Date Tue, 12 Jun 2012 20:31:09 GMT
Leonardo,

I'm guessing this commit is the only documentation we have on
org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME

Shouldn't there be a warning in the documentation that re-enabling
slash can expose you to a security hole?

Looking at the code, "." is still allowed, so allowing "/" puts the
user back in the same situation.

http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3C4F33ED1F.4070007@apache.org%3E

On Tue, Jan 31, 2012 at 11:36 AM,  <lu4242@apache.org> wrote:
> Author: lu4242
> Date: Tue Jan 31 16:36:49 2012
> New Revision: 1238687
>
> URL: http://svn.apache.org/viewvc?rev=1238687&view=rev
> Log:
> small fix over checkstyle
>
> Modified:
>    myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
>
> Modified: myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
> URL: http://svn.apache.org/viewvc/myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java?rev=1238687&r1=1238686&r2=1238687&view=diff
> ==============================================================================
> --- myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
(original)
> +++ myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java
Tue Jan 31 16:36:49 2012
> @@ -72,8 +72,10 @@ public class ResourceHandlerImpl extends
>     /**
>      * Allow slash in the library name of a Resource.
>      */
> -    @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", expectedValues="true,
false", group="resources")
> -    public static final String INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME =
"org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME";
> +    @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false",
> +            expectedValues="true, false", group="resources")
> +    public static final String INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME =
> +            "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME";
>     public static final boolean INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME_DEFAULT
= false;
>
>     private Boolean _allowSlashLibraryName;
> @@ -100,7 +102,8 @@ public class ResourceHandlerImpl extends
>         {
>             return null;
>         }
> -        if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(libraryName,
isAllowSlashesLibraryName()))
> +        if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(
> +                libraryName, isAllowSlashesLibraryName()))
>         {
>             return null;
>         }
> @@ -337,7 +340,8 @@ public class ResourceHandlerImpl extends
>             String libraryName = facesContext.getExternalContext()
>                     .getRequestParameterMap().get("ln");
>
> -            if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(libraryName,
isAllowSlashesLibraryName()))
> +            if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(
> +                    libraryName, isAllowSlashesLibraryName()))
>             {
>                 httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND);
>                 return;
> @@ -559,7 +563,8 @@ public class ResourceHandlerImpl extends
>
>         String pathToLib = null;
>
> -        if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(libraryName,
isAllowSlashesLibraryName()))
> +        if (libraryName != null && !ResourceValidationUtils.isValidLibraryName(
> +                libraryName, isAllowSlashesLibraryName()))
>         {
>             return false;
>         }
>
>

Mime
View raw message