[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Mike Kienenberger updated PORTLETBRIDGE-236: -------------------------------------------- Resolution: Fixed Fix Version/s: 3.0.0-alpha 3.0.0 Status: Resolved (was: Patch Available) Thanks to Ross Crewley for providing these patches. Applied, and both trunk and alpha 3 build under Java 8. > Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and > __jpfbJSFResTARGET URL parameter values > ---------------------------------------------------------------------------------------------------------- > > Key: PORTLETBRIDGE-236 > URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-236 > Project: MyFaces Portlet Bridge > Issue Type: Bug > Components: Impl > Affects Versions: 3.0.0, 3.0.0-alpha > Reporter: Ross Clewley > Assignee: Mike Kienenberger > Priority: Critical > Labels: security > Fix For: 3.0.0, 3.0.0-alpha > > Attachments: portletbridge-236-alpha_3.0.x.patch, > portletbridge-236-trunk.patch > > > MyFaces Portlet Bridge has a security vulnerability in which the > _jsfBridgeViewId, __jpfbJSFTARGET, and __jpfbJSFResTARGET request parameter > values are not restricted to valid filename characters. -- This message was sent by Atlassian JIRA (v6.3.4#6332)