Hi Older versions of MyFaces (Core 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5) has the problem. Update to 2.1.6/2.0.12 or upper version fixes the problem. See CVE-2011-4367 for details.
regards, Leonardo Uribe 2012/6/13 José Luis Cetina <maxtorz...@gmail.com>: > And What about the mentioned security hole? This applied for older versions > of myfaces? > El 13/06/2012 02:41, "Leonardo Uribe" <lu4...@gmail.com> escribió: > >> Hi >> >> The param was introduced because according to the spec, "/" is not >> allowed in libraryName. Enable it does not cause any problem. No need >> to worry about it. >> >> regards, >> >> Leonardo Uribe >> >> 2012/6/12 Mike Kienenberger <mkien...@gmail.com>: >> > See issue https://issues.apache.org/jira/browse/MYFACES-3454 >> > >> > It's not a good idea to change the behavior back. It introduces a >> > security hole. >> > >> > >> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3c4f33ed1f.4070...@apache.org%3E >> > >> > >> > On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci >> > <martin.kocicak.k...@gmail.com> wrote: >> >> Hi, >> >> >> >> it is not possible to use / in library name. Try >> >> >> >> 1) outputStylesheet library="css" name="test/my.css" >> >> >> >> 2) or set context param >> >> >> >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME >> >> >> >> to >> >> >> >> true >> >> >> >> >> >> >> >> >> >> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500: >> >>> If i use >> >>> outputStylesheet library="css" name="my.css" (in my h:head tag) works >> ok >> >>> with this structure folder >> >>> resources/ >> >>> css/ >> >>> my.css >> >>> >> >>> >> >>> But if i create an other folder into css this stop to work >> >>> resources/ >> >>> css/ >> >>> test/ >> >>> my.css >> >>> >> >>> outputStylesheet library="css/test" name="my.css" (in my h:head tag) >> this >> >>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes. >> >>> >> >>> Is this a bug?? >> >> >> >> >>
