Hi
The param was introduced because according to the spec, / is not
allowed in libraryName. Enable it does not cause any problem. No need
to worry about it.
regards,
Leonardo Uribe
2012/6/12 Mike Kienenberger mkien...@gmail.com:
See issue https://issues.apache.org/jira/browse/MYFACES-3454
And What about the mentioned security hole? This applied for older versions
of myfaces?
El 13/06/2012 02:41, Leonardo Uribe lu4...@gmail.com escribió:
Hi
The param was introduced because according to the spec, / is not
allowed in libraryName. Enable it does not cause any problem. No need
to
Hi
Older versions of MyFaces (Core 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5)
has the problem. Update to 2.1.6/2.0.12 or upper version fixes the
problem. See CVE-2011-4367 for details.
regards,
Leonardo Uribe
2012/6/13 José Luis Cetina maxtorz...@gmail.com:
And What about the mentioned security
Ok, thanks
2012/6/13 Leonardo Uribe lu4...@gmail.com
Hi
Older versions of MyFaces (Core 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5)
has the problem. Update to 2.1.6/2.0.12 or upper version fixes the
problem. See CVE-2011-4367 for details.
regards,
Leonardo Uribe
2012/6/13 José Luis Cetina
My mistake. I misread the updated code. Even though . and / are
allowed, the security bug is fixed since the combinations of ..,
../ and /.. are still disallowed.
Sorry for the false alarm -- I should have tested it myself first,
which I just did with 2.1.7.
On Tue, Jun 12, 2012 at 4:20 PM,
If i use
outputStylesheet library=css name=my.css (in my h:head tag) works ok
with this structure folder
resources/
css/
my.css
But if i create an other folder into css this stop to work
resources/
css/
test/
my.css
outputStylesheet library=css/test name=my.css (in my h:head tag) this
doesnt
Hi,
don't know exactly anymore but could you try:
outputStylesheet library=css name=test/my.css ?
Regards,
Thomas
2012/6/12 José Luis Cetina maxtorz...@gmail.com
If i use
outputStylesheet library=css name=my.css (in my h:head tag) works ok
with this structure folder
resources/
css/
Hi,
it is not possible to use / in library name. Try
1) outputStylesheet library=css name=test/my.css
2) or set context param
org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
to
true
José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500:
If i use
outputStylesheet
See issue https://issues.apache.org/jira/browse/MYFACES-3454
It's not a good idea to change the behavior back. It introduces a
security hole.
http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3c4f33ed1f.4070...@apache.org%3E
On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci
9 matches
Mail list logo
