[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)

Mon, 26 Nov 2018 01:27:24 -0800 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16698669#comment-16698669
 ] 

Thomas Andraschko commented on MYFACES-4266:
--------------------------------------------

Not sure if we have something in generell. Leo has a benchmark project which 
was used by: 
[http://content.jsfcentral.com/c/journal/view_article_content?cmd=view&groupId=35702&articleId=73398&version=1.8#.WzOTy4pCS70]

the source should be on github.
It's actually really critical as we always create new strings, also if no 
changes are required.
A simple InputText component from PrimeFaces could even call it ~100(?) times 
probably.

> Ajax update fails due to invalid characters in response XML (DoS)
> -----------------------------------------------------------------
>
>                 Key: MYFACES-4266
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4266
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 2.3.2
>         Environment: jetty 9.4.14.v20181114
> JDK 10
>            Reporter: cnsgithub
>            Priority: Major
>             Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{<f:ajax />}} update fails when the updated form contains 
> unicode characters, which are not allowed in the [XML 1.0 
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they 
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails 
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour: 
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
>  To reproduce:
>  - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
>  - {{git checkout myfaces}}
>  - run {{mvn clean package jetty:run}}
>  - after the server has started, open [http://localhost:8080/index.xhtml]
>  - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
>  - open [http://localhost:8080/input.xhtml]
>  - Paste the characters from the {{illegal-xml-chars.txt}} file into the 
> input field
>  - Click the button
> This issue should be addressed with high priority since it is security 
> related (might be exploited for Denial of Service).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to