myfaces-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Kitching <>
Subject Re: wrong/missing validation behaviour - security problem.
Date Wed, 17 Sep 2008 14:41:27 GMT schrieb:
> Hi!
> While testing our JSF Frontends we found out, that the server sided 
> validation of the JSF components does not work corrrectly in some cases.
> I appended an example formular which we tested and where we found this 
> bug.
> At first we changed the http request and set the value of all fields 
> to “”. All server sided validators worked correctly and threw a 
> required error.
> After this we began to remove the whole fields from the http post. 
> When removing the first fields, a null pointer exception was thrown – 
> a reasonable behaviour.
> When we removed the inputText id=”contentInput” (see attachement) and 
> left the other fields in a correct state, no null pointer exception 
> and no validator exception was thrown. The workflow continued and 
> finally an empty string from the contentInput was written to our database.
> I think this is a security problem because our developers trust in the 
> server side validation of the input fields – and an input field with 
> the required=”true” attribute mustn’t be empty.
> At other forms the behaviour changed and the problems appeared at 
> other points (for example a modified datePicker value caused a number 
> format exception instead of an invalid value validator exception).
> If you need further assistance to reproduce this bug feel free to 
> contact me. This bug is currently interrupting our production, so I 
> will definitely assist you in finding the bug wherever possible.
Does this happen if you use an h:inputText rather than a tr:inputText?

View raw message