[
https://issues.apache.org/jira/browse/MYFACES-3405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Leonardo Uribe updated MYFACES-3405:
------------------------------------
Resolution: Fixed
Fix Version/s: 2.1.5
2.0.11
Assignee: Leonardo Uribe
Status: Resolved (was: Patch Available)
Committed on 2.0.x branch and trunk. Thanks for the example.
> includeViewParameters re-evaluates param/model values as EL expressions
> -----------------------------------------------------------------------
>
> Key: MYFACES-3405
> URL: https://issues.apache.org/jira/browse/MYFACES-3405
> Project: MyFaces Core
> Issue Type: Bug
> Affects Versions: 2.1.3
> Environment: MyFaces 2.1.3
> Reporter: Frederick Kämpfer
> Assignee: Leonardo Uribe
> Fix For: 2.0.11, 2.1.5
>
> Attachments: MYFACES-3405-1.patch
>
>
> I just wanted to make you aware of the following security issue in
> conjunction with the includeViewParameters navigation parameter. It seems it
> is also reproducible with MyFaces:
> http://java.net/jira/browse/JAVASERVERFACES-2247
> I'm not sure which workaround would be best in accordance with the Spec, but
> at least a quick fix might be worth considering to improve the security of
> the default behavior.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
