[ http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12442354 ] David Chandler commented on MYFACES-1467: -----------------------------------------
Thanks for thinking this over, Cagatay and Matthias. The more I think about this, the less I think it's a spec issue, after all. In the case of the MITM exploit, neither MyFaces nor RI currently meet the requirement of section 3.5.4 of the spec, which states "If the value of this property [required] is true and the component has no value, the component is marked invalid and a message is added..." Section 3.5.5 immediately following begins with the caveat "Unless otherwise specified...." Well, section 3.5.4 does in fact "otherwise specify." Given the proximity of these sections, I find it likely that 3.5.4 is exactly what 3.5.5 has in mind, so there is no problem with the spec at all. Even if the sections were in conflict, I would think it a much more serious problem to ignore the required attribute than to call validation with a null value. One is an optimization, the other a security flaw. The code in UIInput.validateValue() method does exactly what 3.5.4 and 3.5.5 say it should do, but the patched line of code as it currently exists defeats the good code in validateValue() by not calling it for a null submitted value, even if the field is required. The patch simply ensures that the already-correct validateValue() method will run if the component is required. So, I go back to my position that the code in question is a security bug and also not compliant with the spec for this case. If we apply the patch, the only time users would ever see a difference between the RI and MyFaces is when using an MITM proxy. And of course, I'll be submitting this to RI, as well. > Validation doesn't run for required fields if submitted value is null > --------------------------------------------------------------------- > > Key: MYFACES-1467 > URL: http://issues.apache.org/jira/browse/MYFACES-1467 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 1.2.0-SNAPSHOT, 1.1.5-SNAPSHOT > Reporter: David Chandler > Assigned To: Matthias Weßendorf > Attachments: patch.txt > > > A component with a required value will not fail validation as expected if the > submitted value is null. This issue is not seen normally because browsers > send the value for an empty text field as an empty string. That is, the POST > data for an empty field1 will contain the field name but no value, like > field1=&field2=something. However, if you use a man-in-the-middle proxy such > as Paros to remove "fieldname=" from the POST data, the submitted value will > be null. UIInput.validate() skips validation for null submitted values, but > since requiredness is also part of validation, the requiredness check gets > skipped, too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira
