[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12467393
]
David Chandler commented on MYFACES-1467:
-
Has the spec already been amended to address this issue
[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Chandler updated MYFACES-1467:
Status: Patch Available (was: Reopened)
Validation doesn't run for required fields
[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464501
]
David Chandler commented on MYFACES-1467:
-
Jeff, Cristi, you're absolutely right. There is no conflict
[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Chandler updated MYFACES-1467:
Status: Open (was: Patch Available)
Validation doesn't run for required fields
[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
David Chandler updated MYFACES-1467:
Status: Patch Available (was: Open)
Validation doesn't run for required fields
[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464106
]
David Chandler commented on MYFACES-1467:
-
Cristi,
Good catch. Just to clarify, you're saying what's
Don't forget that returning view IDs in outcomes will
break tool support such as the visual page flow designer in Exadel
Studio. Even without tools, I find it extremely helpful as a developer
to be able to look in one place to see how the application flows. The proposed capability would make that
[
http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12443261
]
David Chandler commented on MYFACES-1467:
-
I suspect there are still other issues here, but to get the immediate security
problem resolved, I
[
http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12443147
]
David Chandler commented on MYFACES-1467:
-
Alas, I am in anguish, Adam. I do not see how the proposed patch violates the
spec.
If a submitted value
[
http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12442593
]
David Chandler commented on MYFACES-1467:
-
Thanks everyone for your contributions.
If I may summarize Craig's comments, skipping validation for a null
[
http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12442354
]
David Chandler commented on MYFACES-1467:
-
Thanks for thinking this over, Cagatay and Matthias.
The more I think about this, the less I think it's
Type: Bug
Components: General
Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT
Reporter: David Chandler
A component with a required value will not fail validation as expected if the
submitted value is null. This issue is not seen normally because browsers send
[ http://issues.apache.org/jira/browse/MYFACES-1467?page=all ]
David Chandler updated MYFACES-1467:
Status: Patch Available (was: Open)
Validation doesn't run for required fields if submitted value is null
[
http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12442266
]
David Chandler commented on MYFACES-1467:
-
Agreed in part. It's actually a bug in the spec due to these conflicting
requirements:
Section 3.5.4
against the oWASP Top Ten attacks (especially forced browsing prevention and paramter tampering / information hiding in menu options).Is anyoneinterested in meeting to discuss JSF security at ApacheConUS?
David Chandler
Java Web Developer
15 matches
Mail list logo