[jira] [Created] (PORTLETBRIDGE-237) Failing TCK test facesContextFactoryServiceProviderTest
Ross Clewley created PORTLETBRIDGE-237: -- Summary: Failing TCK test facesContextFactoryServiceProviderTest Key: PORTLETBRIDGE-237 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-237 Project: MyFaces Portlet Bridge Issue Type: Bug Affects Versions: 3.0.0, 3.0.0-alpha Reporter: Ross Clewley Assignee: Scott O'Bryan Priority: Minor facesContextFactoryServiceProviderTest in the JSR329 required that the Bridge implementation configures its FacesContextFactory by presence of the resource. META-INF/services/javax.faces.context.FacesContextFactory. The 3.0.0 versions of the MyFaces Portlet JSF Bridge configure it in the faces-config.xml instead, and don't have this service defition file o fail this test. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (PORTLETBRIDGE-236) Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and __jpfbJSFResTARGET URL parameter values
Ross Clewley created PORTLETBRIDGE-236: -- Summary: Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and __jpfbJSFResTARGET URL parameter values Key: PORTLETBRIDGE-236 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-236 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0, 3.0.0-alpha Reporter: Ross Clewley Assignee: Michael Freedman Priority: Critical MyFaces Portlet Bridge has a security vulnerability in which the _jsfBridgeViewId, __jpfbJSFTARGET, and __jpfbJSFResTARGET request parameter values are not restricted to valid filename characters. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (PORTLETBRIDGE-236) Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and __jpfbJSFResTARGET URL parameter values
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ross Clewley updated PORTLETBRIDGE-236: --- Status: Patch Available (was: Open) Security vulnerability with _jsfBridgeViewId, __jpfbJSFTARGET and __jpfbJSFResTARGET URL parameter values -- Key: PORTLETBRIDGE-236 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-236 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0, 3.0.0-alpha Reporter: Ross Clewley Assignee: Michael Freedman Priority: Critical Labels: security Attachments: portletbridge-236-alpha_3.0.x.patch, portletbridge-236-trunk.patch MyFaces Portlet Bridge has a security vulnerability in which the _jsfBridgeViewId, __jpfbJSFTARGET, and __jpfbJSFResTARGET request parameter values are not restricted to valid filename characters. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
Ross Clewley created PORTLETBRIDGE-234: -- Summary: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14003635#comment-14003635 ] Ross Clewley commented on PORTLETBRIDGE-234: The signature of the remove method in BridgeRequestScopeRepository is public BridgeRequestScope remove(String key) Confusingly, BridgeRequestScope is not a class name in this context but a generics type parameter name (this is somewhat misleading and probably ought to be cleaned up): public class BridgeRequestScopeRepositoryString, BridgeRequestScope extends ConcurrentMapString, Object extends LinkedHashMapString, BridgeRequestScope Therefore BridgeRequestScope will be erased at runtime, leading to the conflict with the superclass method from HashMap which is declared as: public V remove(Object key) { }. remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ross Clewley updated PORTLETBRIDGE-234: --- Status: Patch Available (was: Open) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ross Clewley updated PORTLETBRIDGE-234: --- Status: Open (was: Patch Available) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Comment Edited] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14003668#comment-14003668 ] Ross Clewley edited comment on PORTLETBRIDGE-234 at 5/20/14 5:24 PM: - !portletbridge-234.patch! changes the signature of the remove method such that the key parameter is of type Object. The method can therefore override the superclass remove method. I've also changed the generics parameterization of the class so that it's not using BridgeRequestScope as a generics type parameter. The TCK test have been run and pass. was (Author: rclewley): This patch changes the signature of the remove method such that the key parameter is of type Object. The method can therefore override the superclass remove method. I've also changed the generics parameterization of the class so that it's not using BridgeRequestScope as a generics type parameter. The TCK test have been run and pass. remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Attachments: portletbridge-234.patch Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Updated] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ross Clewley updated PORTLETBRIDGE-234: --- Status: Patch Available (was: Open) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Attachments: portletbridge-234.patch Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Comment Edited] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14003668#comment-14003668 ] Ross Clewley edited comment on PORTLETBRIDGE-234 at 5/20/14 5:26 PM: - [^portletbridge-234.patch] changes the signature of the remove method such that the key parameter is of type Object. The method can therefore override the superclass remove method. I've also changed the generics parameterization of the class so that it's not using BridgeRequestScope as a generics type parameter. The TCK test have been run and pass. The patch is for trunk. The issue only affects trunk. was (Author: rclewley): [^portletbridge-234.patch] changes the signature of the remove method such that the key parameter is of type Object. The method can therefore override the superclass remove method. I've also changed the generics parameterization of the class so that it's not using BridgeRequestScope as a generics type parameter. The TCK test have been run and pass. remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Attachments: portletbridge-234.patch Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Comment Edited] (PORTLETBRIDGE-234) remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure.
[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-234?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14003668#comment-14003668 ] Ross Clewley edited comment on PORTLETBRIDGE-234 at 5/20/14 5:25 PM: - [^portletbridge-234.patch] changes the signature of the remove method such that the key parameter is of type Object. The method can therefore override the superclass remove method. I've also changed the generics parameterization of the class so that it's not using BridgeRequestScope as a generics type parameter. The TCK test have been run and pass. was (Author: rclewley): !portletbridge-234.patch! changes the signature of the remove method such that the key parameter is of type Object. The method can therefore override the superclass remove method. I've also changed the generics parameterization of the class so that it's not using BridgeRequestScope as a generics type parameter. The TCK test have been run and pass. remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure. --- Key: PORTLETBRIDGE-234 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-234 Project: MyFaces Portlet Bridge Issue Type: Bug Components: Impl Affects Versions: 3.0.0 Reporter: Ross Clewley Assignee: Michael Freedman Attachments: portletbridge-234.patch Compiling the portlet bridge impl project on trunk produces the following compilation error. [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:2.3.1:compile (default-compile) on project portlet-bridge-impl: Compilation failure [ERROR] /myfaces-trunk/impl/src/main/java/org/apache/myfaces/portlet/faces/bridge/scope/BridgeRequestScopeRepository.java:[55,28] error: name clash: remove(String) in BridgeRequestScopeRepository and remove(Object) in HashMap have the same erasure, yet neither overrides the other -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Created] (PORTLETBRIDGE-235) Security Vulnerability exposed via viewId related request parameters.
Ross Clewley created PORTLETBRIDGE-235: -- Summary: Security Vulnerability exposed via viewId related request parameters. Key: PORTLETBRIDGE-235 URL: https://issues.apache.org/jira/browse/PORTLETBRIDGE-235 Project: MyFaces Portlet Bridge Issue Type: Bug Reporter: Ross Clewley Assignee: Michael Freedman Priority: Critical The Portlet bridge allows the request parameters _jsfBridgeViewId, _jsfBridgeViewPath, __jpfbJSFTARGET and __jpfbJSFResTARGET to influence the viewId that is passed across a trust boundary to the JSF implementation. If the viewId is an absolute URL, that can result in that URL being retrieved and the document being executed as a facelet view definition file, allowing arbitrary java code to be executed. -- This message was sent by Atlassian JIRA (v6.2#6252)