[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13155517#comment-13155517 ]
Leonardo Uribe commented on MYFACES-3405: ----------------------------------------- I tried it and the patch is ok. > includeViewParameters re-evaluates param/model values as EL expressions > ----------------------------------------------------------------------- > > Key: MYFACES-3405 > URL: https://issues.apache.org/jira/browse/MYFACES-3405 > Project: MyFaces Core > Issue Type: Bug > Affects Versions: 2.1.3 > Environment: MyFaces 2.1.3 > Reporter: Frederick Kämpfer > Attachments: MYFACES-3405-1.patch > > > I just wanted to make you aware of the following security issue in > conjunction with the includeViewParameters navigation parameter. It seems it > is also reproducible with MyFaces: > http://java.net/jira/browse/JAVASERVERFACES-2247 > I'm not sure which workaround would be best in accordance with the Spec, but > at least a quick fix might be worth considering to improve the security of > the default behavior. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira