[jira] [Updated] (DELTASPIKE-928) Allow to disable storeWindowTree() on ClientWindow mode

[ https://issues.apache.org/jira/browse/DELTASPIKE-928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Andraschko updated DELTASPIKE-928: - Fix Version/s: (was: 1.4.2) 1.4.3 > Allow to disable st

[jira] [Updated] (DELTASPIKE-963) Header injection due to unescaped key in JsfUtils

[ https://issues.apache.org/jira/browse/DELTASPIKE-963?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gerhard Petracek updated DELTASPIKE-963: Assignee: Thomas Andraschko > Header injection due to unescaped key in JsfUtils

[jira] [Updated] (DELTASPIKE-960) WindowIdHtmlRenderer needs to use maxWindowIdCount for window-id cookies

[ https://issues.apache.org/jira/browse/DELTASPIKE-960?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gerhard Petracek updated DELTASPIKE-960: Reporter: Ortwin Escher (was: Gerhard Petracek) > WindowIdHtmlRenderer needs to

Re: Header injection due to unescaped key in JsfUtils

hi ortwin, thx - we will fix this issue asap and release a new version. it would be really great if you could check similar/related parts within the next ~two weeks. -> with v1.4.3 we could ship all those (related) fixes. regards, gerhard 2015-07-21 10:05 GMT+02:00 Ortwin Escher : > I've crea

Re: Header injection due to unescaped key in JsfUtils

I've created DELTASPIKE-963. Regards Ortwin Escher Fachreferent, Fahrzeug IT, VC-M1 IAV GmbH Rockwellstrasse 16 38518 GIFHORN GERMANY Internet: http://www.iav.com Sitz/Registered Office: Berlin, Registergericht/Registration Court: Amtsgericht Charlottenburg, Registernummer/Company Registra

[jira] [Created] (DELTASPIKE-963) Header injection due to unescaped key in JsfUtils

Ortwin Escher created DELTASPIKE-963: Summary: Header injection due to unescaped key in JsfUtils Key: DELTASPIKE-963 URL: https://issues.apache.org/jira/browse/DELTASPIKE-963 Project: DeltaSpike

Re: Header injection due to unescaped key in JsfUtils

Hi, please create a issue. 2015-07-21 9:13 GMT+02:00 Ortwin Escher : > Hello, > > As wished to the developers list: > > The JsfUtils used in DeltaSpike URLEncode the values but not the keys. > This allows header injection (see > https://www.owasp.org/index.php/HTTP_Response_Splitting for more in

Header injection due to unescaped key in JsfUtils

Hello, As wished to the developers list: The JsfUtils used in DeltaSpike URLEncode the values but not the keys. This allows header injection (see https://www.owasp.org/index.php/HTTP_Response_Splitting for more info on this attack type). As an example if I open a page without window ID and th