includeViewParameters re-evaluates param/model values as EL expressions
---
Key: MYFACES-3405
URL: https://issues.apache.org/jira/browse/MYFACES-3405
Project: MyFaces Core
Hi all,
As it turns out we have a pretty big security hole in JSF 2.x (myfaces and
mojarra).
Please check out my blog entry for further infos:
http://www.jakobk.com/2011/11/jsf-value-expression-injection-vulnerability/
@leo: can you take care of the bug?
Regards,
Jakob
--
Jakob Korherr
Sheet: Selection of a single row doesn't work correctly, when the action is in
the row
--
Key: TOBAGO-1052
URL: https://issues.apache.org/jira/browse/TOBAGO-1052
[
https://issues.apache.org/jira/browse/TRINIDAD-2169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gabrielle Crawford updated TRINIDAD-2169:
-
Status: Patch Available (was: Open)
add framebusting support to handle
[
https://issues.apache.org/jira/browse/TRINIDAD-2169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gabrielle Crawford updated TRINIDAD-2169:
-
Status: Patch Available (was: Open)
add framebusting support to handle
[
https://issues.apache.org/jira/browse/TRINIDAD-2169?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gabrielle Crawford updated TRINIDAD-2169:
-
Status: Open (was: Patch Available)
add framebusting support to handle
I have attached a patch with the proposed fix to the issue.
On 11/21/2011 5:18 PM, Gabrielle Crawford wrote:
Hi all,
I am proposing to implement frame busting in trinidad to prevent clickjacking
attacks, the details are here:
https://issues.apache.org/jira/browse/TRINIDAD-2169
This includes
[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe updated MYFACES-3405:
Status: Patch Available (was: Open)
includeViewParameters re-evaluates param/model
[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155471#comment-13155471
]
Leonardo Uribe commented on MYFACES-3405:
-
Attached patch that fix the issue.
[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155485#comment-13155485
]
Jakob Korherr commented on MYFACES-3405:
The patch looks good, +1 on committing.
[
https://issues.apache.org/jira/browse/PORTLETBRIDGE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155497#comment-13155497
]
Michael Freedman commented on PORTLETBRIDGE-221:
Fixed in 2.0 Trunk
[
https://issues.apache.org/jira/browse/PORTLETBRIDGE-219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155498#comment-13155498
]
Michael Freedman commented on PORTLETBRIDGE-219:
Fixed in the 2.0
[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13155517#comment-13155517
]
Leonardo Uribe commented on MYFACES-3405:
-
I tried it and the patch is ok.
[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe updated MYFACES-3405:
Resolution: Fixed
Fix Version/s: 2.1.5
2.0.11
Hi,
I was running the needed tasks to get the 2.0.11 release of Apache
MyFaces core out.
The artifacts passed all TCK tests.
Please note that this vote concerns all of the following parts:
1. Maven artifact group org.apache.myfaces.shared v4.0.11 [1]
2. Maven artifact group
+1
2011/11/23 Leonardo Uribe lu4...@gmail.com:
Hi,
I was running the needed tasks to get the 2.0.11 release of Apache
MyFaces core out.
The artifacts passed all TCK tests.
Please note that this vote concerns all of the following parts:
1. Maven artifact group org.apache.myfaces.shared
Hi,
I was running the needed tasks to get the 2.1.5 release of Apache
MyFaces core out.
The artifacts passed all TCK tests.
Please note that this vote concerns all of the following parts:
1. Maven artifact group org.apache.myfaces.shared v4.1.3 [1]
2. Maven artifact group
+1
2011/11/23 Leonardo Uribe lu4...@gmail.com:
Hi,
I was running the needed tasks to get the 2.1.5 release of Apache
MyFaces core out.
The artifacts passed all TCK tests.
Please note that this vote concerns all of the following parts:
1. Maven artifact group org.apache.myfaces.shared
18 matches
Mail list logo