myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "cnsgithub (JIRA)" <...@myfaces.apache.org>
Subject [jira] [Created] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
Date Thu, 22 Nov 2018 08:29:00 GMT
cnsgithub created MYFACES-4266:
----------------------------------

             Summary: Ajax update fails due to invalid characters in response XML (DoS)
                 Key: MYFACES-4266
                 URL: https://issues.apache.org/jira/browse/MYFACES-4266
             Project: MyFaces Core
          Issue Type: Bug
    Affects Versions: 2.3.2
         Environment: jetty 9.4.14.v20181114
JDK 10
            Reporter: cnsgithub


I noticed that the {{<f:ajax />}} update fails when the updated form contains unicode
characters, which are not allowed in the [XML 1.0 spec|https://www.w3.org/TR/REC-xml/#charsets].
h2. Expected Behaviour

If the update response contains characters that are not allowed in XML, they should be filtered
by MyFaces before writing the response.
h2. Actual Behaviour

Some illegal XML characters are not filtered and therefore the browser fails to parse the
response.
h2. Steps to reproduce

I created a small github project to reproduce this behaviour: [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces]
(branch myfaces)
 To reproduce:
 - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
 - {{git checkout myfaces}}
 - run {{mvn clean package jetty:run}}
 - after the server has started, open [http://localhost:8080/index.xhtml]
 - Click the button, the error should occur

The issue also occurs with user supplied inputs:
 - open [http://localhost:8080/input.xhtml]
 - Paste the characters from the {{illegal-xml-chars.txt}} file into the input field
 - Click the button

This issue should be addressed with high priority since it is security related (might be exploited
for Denial of Service).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message