[ http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12443147 ] David Chandler commented on MYFACES-1467: -----------------------------------------
Alas, I am in anguish, Adam. I do not see how the proposed patch violates the spec. If a submitted value is null and the field is required, the patched line will not return immediately as before, but it will proceed to validateValue(), which does indeed return for empty (null or zero-length) values without calling a validator. Perhaps the validateValue() method would be better named callValidatorIfNotEmpty(), because that's what it actually does. Further, the CURRENT code does NOT meet spec section 3.5.4 for the case I have demonstrated. I don't know how the TCK works, but I highly doubt it's simulating a MITM tool to test compliance with section 3.5.4. From a security point of view, the MITM case is really the only one that matters. I'm in banking, and we do this kind of penetration testing routinely, so it is important to me that MyFaces is 100% secure against MITM attacks. I have thus far been very pleased with MyFaces as this is the only vulnerability of its kind (parameter tampering) which I have found in the code to date, and I am doing my best to help maintain its quality. Thank you, /dmc > Validation doesn't run for required fields if submitted value is null > --------------------------------------------------------------------- > > Key: MYFACES-1467 > URL: http://issues.apache.org/jira/browse/MYFACES-1467 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT > Reporter: David Chandler > Assigned To: Matthias Weßendorf > Attachments: patch.txt > > > A component with a required value will not fail validation as expected if the > submitted value is null. This issue is not seen normally because browsers > send the value for an empty text field as an empty string. That is, the POST > data for an empty field1 will contain the field name but no value, like > field1=&field2=something. However, if you use a man-in-the-middle proxy such > as Paros to remove "fieldname=" from the POST data, the submitted value will > be null. UIInput.validate() skips validation for null submitted values, but > since requiredness is also part of validation, the requiredness check gets > skipped, too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
