[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155485#comment-13155485
]
Jakob Korherr commented on MYFACES-3405:
----------------------------------------
The patch looks good, +1 on committing.
Have you tried it with
http://code.google.com/a/apache-extras.org/p/jsf-includeviewparams-security-hole-example/
?
Regards,
Jakob
> includeViewParameters re-evaluates param/model values as EL expressions
> -----------------------------------------------------------------------
>
> Key: MYFACES-3405
> URL: https://issues.apache.org/jira/browse/MYFACES-3405
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 2.1.3
> Environment: MyFaces 2.1.3
> Reporter: Frederick Kämpfer
> Attachments: MYFACES-3405-1.patch
>
>
> I just wanted to make you aware of the following security issue in
> conjunction with the includeViewParameters navigation parameter. It seems it
> is also reproducible with MyFaces:
> http://java.net/jira/browse/JAVASERVERFACES-2247
> I'm not sure which workaround would be best in accordance with the Spec, but
> at least a quick fix might be worth considering to improve the security of
> the default behavior.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
