[jira] [Commented] (DELTASPIKE-1307) Deltaspike JSF: XSS WindowIdHtmlRenderer.java

2017-12-31 Thread Gerhard Petracek (JIRA) 

[ 
https://issues.apache.org/jira/browse/DELTASPIKE-1307?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16307209#comment-16307209
 ] 

Gerhard Petracek commented on DELTASPIKE-1307:
--

@md:
fyi: if you think 10 chars are enough (to do more than useless calls), you can 
change the max-length via 
JsfBaseConfig.ScopeCustomization.WindowRestriction.ID_MAX_LENGTH (since the 
beginning...).
the default-value is 10 because in the discussion back than it was excepted as 
secure enough (in case you don't ship harmful scripts in your own app), 
however, it's great to have the addition from mark!

> Deltaspike JSF: XSS WindowIdHtmlRenderer.java
> -
>
> Key: DELTASPIKE-1307
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1307
> Project: DeltaSpike
>  Issue Type: Bug
>  Components: JSF-Module
>Affects Versions: 1.8.0
> Environment: any
>Reporter: md
>Assignee: Mark Struberg
>Priority: Blocker
>  Labels: security
> Fix For: 1.8.1
>
>
> 10 chars ough to be enough for XSS.
> Try escaping your variables.
> https://github.com/apache/deltaspike/blob/master/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java
> Line 80
> PoC
> dswid='-open()-'



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Re: [VOTE] release Apache DeltaSpike-1.8.1

2017-12-31 Thread Rudy De Busscher 
+1

Rudy

On 31 December 2017 at 08:48, Mark Struberg 
wrote:

> Yes you are right, checked directly on our Jenkins - all fine still.
>
> It was just my mail client who fooled me. It still had the subject „..
> failed..“ on the thread still.
> But the last mail was an OK message.
>
> Sorry and LieGrue,
> Strub
>
> > Am 31.12.2017 um 00:22 schrieb John D. Ament :
> >
> > I didn't see an answer on this, but I'm fine with releasing as is
> > considering the contents so here's my +1.
> >
> > On Sat, Dec 30, 2017 at 11:59 AM John D. Ament 
> > wrote:
> >
> >> Where did it break jenkins?
> >>
> >>
> >> https://builds.apache.org/view/A-D/view/DeltaSpike/job/
> DeltaSpike_TomEE/1220/
> >> passed
> >>
> >> https://builds.apache.org/view/A-D/view/DeltaSpike/job/
> DeltaSpike_Payara_4.1.x/48/
> >> passed
> >>
> >> https://builds.apache.org/view/A-D/view/DeltaSpike/job/
> DeltaSpike_Wildfly_10.1/63/
> >> passed
> >>
> >> In fact, I asked the contributor to rebase to ensure that CI was passing
> >> since CI was failing.
> >>
> >> John
> >>
> >>
> >> On Sat, Dec 30, 2017 at 11:48 AM Mark Struberg
> 
> >> wrote:
> >>
> >>> I've moved 1299 to 1.8.2. It did break Jenkins, so we should look at it
> >>> again and take time as needed.
> >>> But we should really get this release out of the door asap as it
> contains
> >>> important security fixes.
> >>>
> >>> Happy to run an 1.8.2 release in the next weeks.
> >>>
> >>> LieGrue,
> >>> strub
> >>>
>  Am 30.12.2017 um 17:43 schrieb John D. Ament :
> 
>  Hmmm looks like we crossed wires.  Can you rerun with current
> master?  I
>  want to ensure that 1299 is included.
> 
>  On Sat, Dec 30, 2017 at 11:39 AM Mark Struberg
> >>> 
>  wrote:
> 
> > Hi folks!
> >
> > I did run the necessary steps for releasing DeltaSpike-1.8.1
> >
> > The following bugs and improvements got implemented:
> >
> > Bug
> >
> >   • [DELTASPIKE-1252] - data-documentation missing Optional
> return
> > value
> >   • [DELTASPIKE-1271] - [perf] cache Transactional
> >   • [DELTASPIKE-1272] - ConfigResolver asList breaks if no value
> >>> is
> > found
> >   • [DELTASPIKE-1275] - Build fails on Linux because Testclass
> > filenames are to long
> >   • [DELTASPIKE-1278] - PropertyFileConfig does not respect
> >>> optional
> > on external resources
> >   • [DELTASPIKE-1281] - Deltaspike does not pass BeanManager to
> > persistenf factory config using "javax.persistence.bean.manager"
> >   • [DELTASPIKE-1287] - asList() getValue() fails with a NPE if
> no
> > configured value exists
> >   • [DELTASPIKE-1288] - Default values are not interpolated
> >   • [DELTASPIKE-1294] - Secured Stereotypes are not applied to
> > inherited methods
> >   • [DELTASPIKE-1296] - PropertyFileConfig doesn't work with
> > internal extensions
> >   • [DELTASPIKE-1302] - ThreadPoolManager: ExecutorService map is
> > always empty
> >   • [DELTASPIKE-1303] - @Configuration proxies should support
> List
> > without converters
> >   • [DELTASPIKE-1305] - Multiple ds:windowId leads to multiple
> > redirects
> >   • [DELTASPIKE-1306] - IE sometimes doesn't set window.name
> > correctly
> >   • [DELTASPIKE-1307] - Deltaspike JSF: XSS
> >>> WindowIdHtmlRenderer.java
> > Improvement
> >
> >   • [DELTASPIKE-940] - @Transactional and @EntityManagerConfig
> >>> each
> > use a different method to resolve EntityManagers
> >   • [DELTASPIKE-1070] - Refactor RepositoryComponent/s
> >   • [DELTASPIKE-1258] - skip flush with one EntityManager
> >   • [DELTASPIKE-1267] - Remove second factory mechanism of
> > QueryBuilder's
> >   • [DELTASPIKE-1268] - QueryProcessorFactory should be a bean
> >   • [DELTASPIKE-1269] - [perf] Cache singleResultType per method
> >   • [DELTASPIKE-1270] - [perf] cache requiresTransaction per
> >>> method
> >   • [DELTASPIKE-1274] - Refactor proxy-module / improve
> >>> performance
> >   • [DELTASPIKE-1279] - SimpleSecurityViolation needs
> >>> equals/hashcode
> >   • [DELTASPIKE-1283] - Placeholders not supported for defaults
> >   • [DELTASPIKE-1289] - GlobalInterceptorExtension could reuse
> > BeanManager
> >   • [DELTASPIKE-1293] - CDI qualifiers support for JSF converters
> >   • [DELTASPIKE-1304] - Make CdiTestRunner use "flat" deployment
> >>> on
> > Weld by default
> > Task
> >
> >   • [DELTASPIKE-1259] - upgraded version numbers
> >   • [DELTASPIKE-1297] - add test with a customized
> >>> DynamicMockManager
> >   • [DELTASPIKE-1298] - document customization of a
> > DynamicMockManager