incubator-adffaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Adam Winer" <awi...@gmail.com>
Subject Re: security issue w/ UIXEditableValue ?
Date Mon, 16 Oct 2006 04:51:30 GMT
I've commented on the original MYFACES issue;  the bug is not in UIInput
(or UIXEditableValue).  It's in renderer implementations that don't handle
a null request parameter value correctly.

-- Adam


On 10/15/06, Matthias Wessendorf <matzew@apache.org> wrote:
>
> for the required case I agree
>
> general no. we (jsf) should not invent the wheel of validation at all.
> it is pretty much common so that is should be handled in 303.
>
> I agree that some *cross value* validations can be handy. sometimes yeah,
> sometimes no. a framework (see sf.net) on top of faces is maybe fine for
> that.
>
> what's in swing for the case "if field xyz is not submitted handle me
> like..." ?
> or is it only in 296 ?
>
> -M
>
> On 10/14/06, Martin Marinschek <martin.marinschek@gmail.com> wrote:
> > Hi *;
> >
> > I've added a comment to
> >
> > http://issues.apache.org/jira/browse/MYFACES-1467
> >
> > essentially saying that the null-value should never make a component
> > skip validation. What do you think about that?
> >
> > regards,
> >
> > Martin
> >
> > On 10/14/06, Matthias Wessendorf <matzew@apache.org> wrote:
> > > hey
> > >
> > > I created ADFFACES-238 to keep track of it and we should have issues
> > > in jira for almost all commits.
> > >
> > > Since you agreed to this issue, I commit the change to the template
> > > tomorrow or so
> > >
> > > On 10/13/06, Arjuna Wijeyekoon <arjuna@gmail.com> wrote:
> > > > I think you're right.
> > > > I could have sworn that we were special-casing the
> required-validator; I
> > > > even looked at the code in the old
> > > > corporate repository, but this bug exists there.
> > > > --arjuna
> > > >
> > > >
> > > > On 10/13/06, Matthias Wessendorf <matzew@apache.org> wrote:
> > > > >
> > > > > Hi
> > > > >
> > > > > please take a look at MYFACES-1467 which is also trure for
> > > > > UIXEditableValue.java's validate() method.
> > > > >
> > > > > But the spec javadoc for validate() says:
> > > > > Retrieve the submitted value with getSubmittedValue(). If this
> returns
> > > > > null, exit without further processing. (This indicates that no
> value
> > > > > was submitted for this component.)
> > > > >
> > > > > the patch is basicly doing this instead:
> > > > >
> > > > > Object submittedValue = getSubmittedValue();
> > > > > if (submittedValue == null  && !this.isRequired()) return;
> > > > >
> > > > > (it add's the  && !this.isRequired())
> > > > >
> > > > >
> > > > > Why?
> > > > > See the descr. for the issue, since a man-in-the-middle tool can
> do
> > > > > some funny things. I saw David's demo this afternoon in ApacheCon
> > > > > Hackaton.
> > > > >
> > > > > I think the javadoc for jsf 1.1 and 1.2 should be changed...
> > > > >
> > > > > What do you think?
> > > > >
> > > > > -Matt
> > > > > --
> > > > > Matthias Wessendorf
> > > > > http://tinyurl.com/fmywh
> > > > >
> > > > > further stuff:
> > > > > blog: http://jroller.com/page/mwessendorf
> > > > > mail: mwessendorf-at-gmail-dot-com
> > > > >
> > > >
> > > >
> > >
> > >
> > > --
> > > Matthias Wessendorf
> > > http://tinyurl.com/fmywh
> > >
> > > further stuff:
> > > blog: http://jroller.com/page/mwessendorf
> > > mail: mwessendorf-at-gmail-dot-com
> > >
> >
> >
> > --
> >
> > http://www.irian.at
> >
> > Your JSF powerhouse -
> > JSF Consulting, Development and
> > Courses in English and German
> >
> > Professional Support for Apache MyFaces
> >
>
>
> --
> Matthias Wessendorf
> http://tinyurl.com/fmywh
>
> further stuff:
> blog: http://jroller.com/page/mwessendorf
> mail: mwessendorf-at-gmail-dot-com
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message