Ok, thanks 2012/6/13 Leonardo Uribe <lu4...@gmail.com>
> Hi > > Older versions of MyFaces (Core 2.0.1 to 2.0.11 and 2.1.0 to 2.1.5) > has the problem. Update to 2.1.6/2.0.12 or upper version fixes the > problem. See CVE-2011-4367 for details. > > regards, > > Leonardo Uribe > > 2012/6/13 José Luis Cetina <maxtorz...@gmail.com>: > > And What about the mentioned security hole? This applied for older > versions > > of myfaces? > > El 13/06/2012 02:41, "Leonardo Uribe" <lu4...@gmail.com> escribió: > > > >> Hi > >> > >> The param was introduced because according to the spec, "/" is not > >> allowed in libraryName. Enable it does not cause any problem. No need > >> to worry about it. > >> > >> regards, > >> > >> Leonardo Uribe > >> > >> 2012/6/12 Mike Kienenberger <mkien...@gmail.com>: > >> > See issue https://issues.apache.org/jira/browse/MYFACES-3454 > >> > > >> > It's not a good idea to change the behavior back. It introduces a > >> > security hole. > >> > > >> > > >> > http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3c4f33ed1f.4070...@apache.org%3E > >> > > >> > > >> > On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci > >> > <martin.kocicak.k...@gmail.com> wrote: > >> >> Hi, > >> >> > >> >> it is not possible to use / in library name. Try > >> >> > >> >> 1) outputStylesheet library="css" name="test/my.css" > >> >> > >> >> 2) or set context param > >> >> > >> >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME > >> >> > >> >> to > >> >> > >> >> true > >> >> > >> >> > >> >> > >> >> > >> >> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500: > >> >>> If i use > >> >>> outputStylesheet library="css" name="my.css" (in my h:head tag) > works > >> ok > >> >>> with this structure folder > >> >>> resources/ > >> >>> css/ > >> >>> my.css > >> >>> > >> >>> > >> >>> But if i create an other folder into css this stop to work > >> >>> resources/ > >> >>> css/ > >> >>> test/ > >> >>> my.css > >> >>> > >> >>> outputStylesheet library="css/test" name="my.css" (in my h:head > tag) > >> this > >> >>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes. > >> >>> > >> >>> Is this a bug?? > >> >> > >> >> > >> > -- ------------------------------------------------------------------- *SCJA. José Luis Cetina* -------------------------------------------------------------------
