[jira] [Created] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions

includeViewParameters re-evaluates param/model values as EL expressions --- Key: MYFACES-3405 URL: https://issues.apache.org/jira/browse/MYFACES-3405 Project: MyFaces Core

JSF value expression injection vulnerability

Hi all, As it turns out we have a pretty big security hole in JSF 2.x (myfaces and mojarra). Please check out my blog entry for further infos: http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/ @leo: can you take care of the bug? Regards, Jakob -- Jakob Korherr

[jira] [Created] (TOBAGO-1052) Sheet: Selection of a single row doesn't work correctly, when the action is in the row

Sheet: Selection of a single row doesn't work correctly, when the action is in the row -- Key: TOBAGO-1052 URL: https://issues.apache.org/jira/browse/TOBAGO-1052

[jira] [Updated] (TRINIDAD-2169) add framebusting support to handle clickjacking attacks

[ https://issues.apache.org/jira/browse/TRINIDAD-2169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gabrielle Crawford updated TRINIDAD-2169: - Status: Patch Available (was: Open) add framebusting support to handle

[jira] [Updated] (TRINIDAD-2169) add framebusting support to handle clickjacking attacks

[ https://issues.apache.org/jira/browse/TRINIDAD-2169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gabrielle Crawford updated TRINIDAD-2169: - Status: Patch Available (was: Open) add framebusting support to handle

[jira] [Updated] (TRINIDAD-2169) add framebusting support to handle clickjacking attacks

[ https://issues.apache.org/jira/browse/TRINIDAD-2169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Gabrielle Crawford updated TRINIDAD-2169: - Status: Open (was: Patch Available) add framebusting support to handle

Re: [Trinidad] add framebusting support, param default not backward compatible.

I have attached a patch with the proposed fix to the issue. On 11/21/2011 5:18 PM, Gabrielle Crawford wrote: Hi all, I am proposing to implement frame busting in trinidad to prevent clickjacking attacks, the details are here: https://issues.apache.org/jira/browse/TRINIDAD-2169 This includes

[jira] [Updated] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions

[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Leonardo Uribe updated MYFACES-3405: Status: Patch Available (was: Open) includeViewParameters re-evaluates param/model

[jira] [Commented] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions

[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155471#comment-13155471 ] Leonardo Uribe commented on MYFACES-3405: - Attached patch that fix the issue.

[jira] [Commented] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions

[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155485#comment-13155485 ] Jakob Korherr commented on MYFACES-3405: The patch looks good, +1 on committing.

[jira] [Commented] (PORTLETBRIDGE-221) Add explicit exclusions for trinidad in 329 branch

[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155497#comment-13155497 ] Michael Freedman commented on PORTLETBRIDGE-221: Fixed in 2.0 Trunk

[jira] [Commented] (PORTLETBRIDGE-219) NonFaces in protocol resource request fails after and action

[ https://issues.apache.org/jira/browse/PORTLETBRIDGE-219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155498#comment-13155498 ] Michael Freedman commented on PORTLETBRIDGE-219: Fixed in the 2.0

[jira] [Commented] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions

[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155517#comment-13155517 ] Leonardo Uribe commented on MYFACES-3405: - I tried it and the patch is ok.

[jira] [Updated] (MYFACES-3405) includeViewParameters re-evaluates param/model values as EL expressions

[ https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Leonardo Uribe updated MYFACES-3405: Resolution: Fixed Fix Version/s: 2.1.5 2.0.11

[VOTE] release of myfaces core 2.0.11

Hi, I was running the needed tasks to get the 2.0.11 release of Apache MyFaces core out. The artifacts passed all TCK tests. Please note that this vote concerns all of the following parts: 1. Maven artifact group org.apache.myfaces.shared v4.0.11 [1] 2. Maven artifact group

Re: [VOTE] release of myfaces core 2.0.11

+1 2011/11/23 Leonardo Uribe lu4...@gmail.com: Hi, I was running the needed tasks to get the 2.0.11 release of Apache MyFaces core out. The artifacts passed all TCK tests. Please note that this vote concerns all of the following parts:  1. Maven artifact group org.apache.myfaces.shared

[VOTE] release of myfaces core 2.1.5

Hi, I was running the needed tasks to get the 2.1.5 release of Apache MyFaces core out. The artifacts passed all TCK tests. Please note that this vote concerns all of the following parts: 1. Maven artifact group org.apache.myfaces.shared v4.1.3 [1] 2. Maven artifact group

Re: [VOTE] release of myfaces core 2.1.5

+1 2011/11/23 Leonardo Uribe lu4...@gmail.com: Hi, I was running the needed tasks to get the 2.1.5 release of Apache MyFaces core out. The artifacts passed all TCK tests. Please note that this vote concerns all of the following parts:  1. Maven artifact group org.apache.myfaces.shared