My mistake. I misread the updated code. Even though "." and "/" are allowed, the security bug is fixed since the combinations of "..", "../" and "/.." are still disallowed.
Sorry for the false alarm -- I should have tested it myself first, which I just did with 2.1.7. On Tue, Jun 12, 2012 at 4:20 PM, Mike Kienenberger <mkien...@gmail.com> wrote: > See issue https://issues.apache.org/jira/browse/MYFACES-3454 > > It's not a good idea to change the behavior back. It introduces a > security hole. > > http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%3c4f33ed1f.4070...@apache.org%3E > > > On Tue, Jun 12, 2012 at 4:06 PM, Martin Koci > <martin.kocicak.k...@gmail.com> wrote: >> Hi, >> >> it is not possible to use / in library name. Try >> >> 1) outputStylesheet library="css" name="test/my.css" >> >> 2) or set context param >> >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME >> >> to >> >> true >> >> >> >> >> José Luis Cetina píše v Út 12. 06. 2012 v 15:00 -0500: >>> If i use >>> outputStylesheet library="css" name="my.css" (in my h:head tag) works ok >>> with this structure folder >>> resources/ >>> css/ >>> my.css >>> >>> >>> But if i create an other folder into css this stop to work >>> resources/ >>> css/ >>> test/ >>> my.css >>> >>> outputStylesheet library="css/test" name="my.css" (in my h:head tag) this >>> doesnt work in myfaces 2.1.7 but in mojarra 2.1.7 yes. >>> >>> Is this a bug?? >> >>
