Hi The param does not cause any problem. The problem is the spec says in a explicit way which characters are allowed for library name, and "/" is not. So to be strict with the spec, the param was added.
regards, Leonardo 2012/6/12 Mike Kienenberger <[email protected]>: > Leonardo, > > I'm guessing this commit is the only documentation we have on > org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME > > Shouldn't there be a warning in the documentation that re-enabling > slash can expose you to a security hole? > > Looking at the code, "." is still allowed, so allowing "/" puts the > user back in the same situation. > > http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%[email protected]%3E > > On Tue, Jan 31, 2012 at 11:36 AM, <[email protected]> wrote: >> Author: lu4242 >> Date: Tue Jan 31 16:36:49 2012 >> New Revision: 1238687 >> >> URL: http://svn.apache.org/viewvc?rev=1238687&view=rev >> Log: >> small fix over checkstyle >> >> Modified: >> >> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >> >> Modified: >> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >> URL: >> http://svn.apache.org/viewvc/myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java?rev=1238687&r1=1238686&r2=1238687&view=diff >> ============================================================================== >> --- >> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >> (original) >> +++ >> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >> Tue Jan 31 16:36:49 2012 >> @@ -72,8 +72,10 @@ public class ResourceHandlerImpl extends >> /** >> * Allow slash in the library name of a Resource. >> */ >> - @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", >> expectedValues="true, false", group="resources") >> - public static final String >> INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME = >> "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME"; >> + @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", >> + expectedValues="true, false", group="resources") >> + public static final String >> INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME = >> + "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME"; >> public static final boolean >> INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME_DEFAULT = false; >> >> private Boolean _allowSlashLibraryName; >> @@ -100,7 +102,8 @@ public class ResourceHandlerImpl extends >> { >> return null; >> } >> - if (libraryName != null && >> !ResourceValidationUtils.isValidLibraryName(libraryName, >> isAllowSlashesLibraryName())) >> + if (libraryName != null && >> !ResourceValidationUtils.isValidLibraryName( >> + libraryName, isAllowSlashesLibraryName())) >> { >> return null; >> } >> @@ -337,7 +340,8 @@ public class ResourceHandlerImpl extends >> String libraryName = facesContext.getExternalContext() >> .getRequestParameterMap().get("ln"); >> >> - if (libraryName != null && >> !ResourceValidationUtils.isValidLibraryName(libraryName, >> isAllowSlashesLibraryName())) >> + if (libraryName != null && >> !ResourceValidationUtils.isValidLibraryName( >> + libraryName, isAllowSlashesLibraryName())) >> { >> >> httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND); >> return; >> @@ -559,7 +563,8 @@ public class ResourceHandlerImpl extends >> >> String pathToLib = null; >> >> - if (libraryName != null && >> !ResourceValidationUtils.isValidLibraryName(libraryName, >> isAllowSlashesLibraryName())) >> + if (libraryName != null && >> !ResourceValidationUtils.isValidLibraryName( >> + libraryName, isAllowSlashesLibraryName())) >> { >> return false; >> } >> >>
