Leonardo, I'm guessing this commit is the only documentation we have on org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME
Shouldn't there be a warning in the documentation that re-enabling slash can expose you to a security hole? Looking at the code, "." is still allowed, so allowing "/" puts the user back in the same situation. http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%[email protected]%3E On Tue, Jan 31, 2012 at 11:36 AM, <[email protected]> wrote: > Author: lu4242 > Date: Tue Jan 31 16:36:49 2012 > New Revision: 1238687 > > URL: http://svn.apache.org/viewvc?rev=1238687&view=rev > Log: > small fix over checkstyle > > Modified: > > myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java > > Modified: > myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java > URL: > http://svn.apache.org/viewvc/myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java?rev=1238687&r1=1238686&r2=1238687&view=diff > ============================================================================== > --- > myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java > (original) > +++ > myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java > Tue Jan 31 16:36:49 2012 > @@ -72,8 +72,10 @@ public class ResourceHandlerImpl extends > /** > * Allow slash in the library name of a Resource. > */ > - @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", > expectedValues="true, false", group="resources") > - public static final String > INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME = > "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME"; > + @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", > + expectedValues="true, false", group="resources") > + public static final String > INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME = > + "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME"; > public static final boolean > INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME_DEFAULT = false; > > private Boolean _allowSlashLibraryName; > @@ -100,7 +102,8 @@ public class ResourceHandlerImpl extends > { > return null; > } > - if (libraryName != null && > !ResourceValidationUtils.isValidLibraryName(libraryName, > isAllowSlashesLibraryName())) > + if (libraryName != null && > !ResourceValidationUtils.isValidLibraryName( > + libraryName, isAllowSlashesLibraryName())) > { > return null; > } > @@ -337,7 +340,8 @@ public class ResourceHandlerImpl extends > String libraryName = facesContext.getExternalContext() > .getRequestParameterMap().get("ln"); > > - if (libraryName != null && > !ResourceValidationUtils.isValidLibraryName(libraryName, > isAllowSlashesLibraryName())) > + if (libraryName != null && > !ResourceValidationUtils.isValidLibraryName( > + libraryName, isAllowSlashesLibraryName())) > { > > httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND); > return; > @@ -559,7 +563,8 @@ public class ResourceHandlerImpl extends > > String pathToLib = null; > > - if (libraryName != null && > !ResourceValidationUtils.isValidLibraryName(libraryName, > isAllowSlashesLibraryName())) > + if (libraryName != null && > !ResourceValidationUtils.isValidLibraryName( > + libraryName, isAllowSlashesLibraryName())) > { > return false; > } > >
