[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12467393
]
David Chandler commented on MYFACES-1467:
-----------------------------------------
Has the spec already been amended to address this issue? Section 3.5.5 on
validator implementation now reads
Unless otherwise specified, components with a null local value cause the
validation checking by this Validator to be skipped. If a component should be
required to have a non-null value, a component attribute with the name
required and the value true must be added to the component in order to
enforce this rule.
I don't remember the second sentence being there before.
At any rate, I agree that the spec doesn't resolve the conflict between
required=true and disabled/readonly=true in the case of null values. The root
issue appears to be that the spec overloads the meaning of a null submitted
value. At validation time, there is currently no way to distinguish between a
null value from the user and a null value because the component is readonly or
disabled. Besides causing the issue at hand, it masks a parameter tampering
attack (changing the value of a readonly or disabled component), which is also
of security interest.
So the spec needs to
1. Discontinue overloading the meaning of a null submitted value (perhaps by
the introduction of new properties to UIInput) and
2. Explicitly address the conflict between required and readonly / disabled for
null values
Are we agreed on this? Are there other proposals?
In the mean time, can we leave the issue open until the spec issue is resolved?
JSF security issues need to be addressed, and if users begin to depend on
insecure behavior (as they have been), it will only be that much harder to fix
later.
> Validation doesn't run for required fields if submitted value is null
> ---------------------------------------------------------------------
>
> Key: MYFACES-1467
> URL: https://issues.apache.org/jira/browse/MYFACES-1467
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT
> Reporter: David Chandler
> Assigned To: Matthias Weßendorf
> Fix For: 1.1.5-SNAPSHOT
>
> Attachments: patch.txt, patch2.txt
>
>
> A component with a required value will not fail validation as expected if the
> submitted value is null. This issue is not seen normally because browsers
> send the value for an empty text field as an empty string. That is, the POST
> data for an empty field1 will contain the field name but no value, like
> field1=&field2=something. However, if you use a man-in-the-middle proxy such
> as Paros to remove "fieldname=" from the POST data, the submitted value will
> be null. UIInput.validate() skips validation for null submitted values, but
> since requiredness is also part of validation, the requiredness check gets
> skipped, too.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
