[jira] Commented: (TRINIDAD-1258) GenericEntry allows invalid locale parameter - XSS vulnerability in LocaleInfoScriptlet

Tue, 11 Nov 2008 17:24:46 -0800 

    [ 
https://issues.apache.org/jira/browse/TRINIDAD-1258?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12646767#action_12646767
 ] 

Yee-Wah Lee commented on TRINIDAD-1258:
---------------------------------------

Uploading patch for 1.1 and 1.2 trunks that:
- Verifies that the language and country arguments used in creating a Locale 
object (constructor takes language, country, variant) are valid per Javadoc 
standards before creating it. For variant, it is vendor-specific, it just 
checks for slashes and rejects them due to XSS. 
- logs warning if any of the arguments fail to pass, and uses default or empty
- Fixes NamedLocaleInfoScriptlet to work with the change. In the original 
TRINIDAD-797 fix, it would add the argument in getLibraryURL but with the fix 
added by TRINIDAD-879, there were two '?' delimiters in the request. The 
skipTranslations argument was mangled with the locale argument so the code to 
retrieve the Locale would fail (since the language code was > 2 characters) and 
the requested locale was not loaded. The fix is to override addExtraParams() 
and add the additional parameter correctly. 

> GenericEntry allows invalid locale parameter - XSS vulnerability in 
> LocaleInfoScriptlet
> ---------------------------------------------------------------------------------------
>
>                 Key: TRINIDAD-1258
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-1258
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>          Components: Components
>    Affects Versions: 1.2.9-core
>            Reporter: Yee-Wah Lee
>            Assignee: Matthias Weßendorf
>            Priority: Critical
>         Attachments: trin11_1258.diff, trin12_1258.diff
>
>
> 1. Run the inputDate demo
> http://www.irian.at/trinidad-demo/faces/components/inputDate.jspx
> 2. Open the inputDate popup and copy its URL using right click/Properties 
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en&enc=utf-8
> 3. Modify the URL to replace the loc parameter value with 
> <script>alert(document.cookie)</script>
> http://www.irian.at/trinidad-demo/faces/__ADFv__?_t=fred&_red=cd&value=1224025200000&loc=en%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&enc=utf-8
> 4. Load the modified URL in the browser - an alert popup appears. 

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to