Repository: deltaspike Updated Branches: refs/heads/master 167b7bcf2 -> 5ce25042d
DELTASPIKE-752 additional check to avoid issues with custom client-window implementation Project: http://git-wip-us.apache.org/repos/asf/deltaspike/repo Commit: http://git-wip-us.apache.org/repos/asf/deltaspike/commit/5ce25042 Tree: http://git-wip-us.apache.org/repos/asf/deltaspike/tree/5ce25042 Diff: http://git-wip-us.apache.org/repos/asf/deltaspike/diff/5ce25042 Branch: refs/heads/master Commit: 5ce25042de5cfa3089b60df66ff08390deb2b785 Parents: 167b7bc Author: gpetracek <[email protected]> Authored: Sat Oct 25 21:43:32 2014 +0200 Committer: gpetracek <[email protected]> Committed: Sat Oct 25 21:43:32 2014 +0200 ---------------------------------------------------------------------- .../jsf/impl/component/window/WindowIdHtmlRenderer.java | 10 ++++++++++ .../jsf/impl/scope/window/DefaultClientWindow.java | 6 +++--- 2 files changed, 13 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/deltaspike/blob/5ce25042/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java index cab4d26..e995ff8 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/component/window/WindowIdHtmlRenderer.java @@ -30,6 +30,7 @@ import javax.servlet.http.Cookie; import org.apache.deltaspike.core.api.provider.BeanProvider; import org.apache.deltaspike.core.spi.scope.window.WindowContext; +import org.apache.deltaspike.jsf.impl.scope.window.DefaultClientWindow; import org.apache.deltaspike.jsf.impl.util.ClientWindowHelper; import org.apache.deltaspike.jsf.spi.scope.window.ClientWindowConfig; @@ -56,6 +57,15 @@ public class WindowIdHtmlRenderer extends Renderer super.encodeBegin(context, component); String windowId = getWindowContext().getCurrentWindowId(); + + //already ensured by DefaultClientWindow + //just to ensure that we don't get a security issue in case of a customized client-window implementation + //will never happen usually -> no real overhead + if (windowId != null && windowId.length() > DefaultClientWindow.SECURE_ID_LENGTH) + { + windowId = windowId.substring(0, DefaultClientWindow.SECURE_ID_LENGTH); + } + String mode = getClientWindowConfig().getClientWindowRenderMode(context).name(); ResponseWriter writer = context.getResponseWriter(); http://git-wip-us.apache.org/repos/asf/deltaspike/blob/5ce25042/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java ---------------------------------------------------------------------- diff --git a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java index 9d0bc8c..2767b69 100644 --- a/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java +++ b/deltaspike/modules/jsf/impl/src/main/java/org/apache/deltaspike/jsf/impl/scope/window/DefaultClientWindow.java @@ -69,6 +69,9 @@ public class DefaultClientWindow implements ClientWindow */ public static final String DELTASPIKE_WINDOW_ID_URL_PARAM = "dswid"; + /*enough for the integer generated by #generateNewWindowId - see DELTASPIKE-752 */ + public static final int SECURE_ID_LENGTH = 10; + private static final String PER_USE_CLIENT_WINDOW_URL_QUERY_PARAMETER_DISABLED_KEY = ClientWindow.class.getName() + ".ClientWindowRenderModeEnablement"; @@ -96,9 +99,6 @@ public class DefaultClientWindow implements ClientWindow private static final String CACHE_QUERY_URL_PARAMETERS = "CACHE:" + DefaultClientWindow.class + "#getQueryURLParameters"; - /*enough for the integer generated by #generateNewWindowId - see DELTASPIKE-752 */ - private static final int SECURE_ID_LENGTH = 10; - @Inject private ClientWindowConfig clientWindowConfig;
