Yes, sorry about that. I should have actually tested the problem instead of misreading the code.
I posted a retraction on the user list. I also removed both my incorrect comment in the JIRA issue as well as your correction of my incorrect comment to avoid confusing the issue there for future viewers of the issue. On Wed, Jun 13, 2012 at 3:39 AM, Leonardo Uribe <[email protected]> wrote: > Hi > > The param does not cause any problem. The problem is the spec says in > a explicit way which characters are allowed for library name, and "/" > is not. So to be strict with the spec, the param was added. > > regards, > > Leonardo > > 2012/6/12 Mike Kienenberger <[email protected]>: >> Leonardo, >> >> I'm guessing this commit is the only documentation we have on >> org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME >> >> Shouldn't there be a warning in the documentation that re-enabling >> slash can expose you to a security hole? >> >> Looking at the code, "." is still allowed, so allowing "/" puts the >> user back in the same situation. >> >> http://mail-archives.apache.org/mod_mbox/www-announce/201202.mbox/%[email protected]%3E >> >> On Tue, Jan 31, 2012 at 11:36 AM, <[email protected]> wrote: >>> Author: lu4242 >>> Date: Tue Jan 31 16:36:49 2012 >>> New Revision: 1238687 >>> >>> URL: http://svn.apache.org/viewvc?rev=1238687&view=rev >>> Log: >>> small fix over checkstyle >>> >>> Modified: >>> >>> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >>> >>> Modified: >>> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >>> URL: >>> http://svn.apache.org/viewvc/myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java?rev=1238687&r1=1238686&r2=1238687&view=diff >>> ============================================================================== >>> --- >>> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >>> (original) >>> +++ >>> myfaces/core/branches/2.0.x/impl/src/main/java/org/apache/myfaces/application/ResourceHandlerImpl.java >>> Tue Jan 31 16:36:49 2012 >>> @@ -72,8 +72,10 @@ public class ResourceHandlerImpl extends >>> /** >>> * Allow slash in the library name of a Resource. >>> */ >>> - @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", >>> expectedValues="true, false", group="resources") >>> - public static final String >>> INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME = >>> "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME"; >>> + @JSFWebConfigParam(since="2.1.6, 2.0.12", defaultValue="false", >>> + expectedValues="true, false", group="resources") >>> + public static final String >>> INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME = >>> + "org.apache.myfaces.STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME"; >>> public static final boolean >>> INIT_PARAM_STRICT_JSF_2_ALLOW_SLASH_LIBRARY_NAME_DEFAULT = false; >>> >>> private Boolean _allowSlashLibraryName; >>> @@ -100,7 +102,8 @@ public class ResourceHandlerImpl extends >>> { >>> return null; >>> } >>> - if (libraryName != null && >>> !ResourceValidationUtils.isValidLibraryName(libraryName, >>> isAllowSlashesLibraryName())) >>> + if (libraryName != null && >>> !ResourceValidationUtils.isValidLibraryName( >>> + libraryName, isAllowSlashesLibraryName())) >>> { >>> return null; >>> } >>> @@ -337,7 +340,8 @@ public class ResourceHandlerImpl extends >>> String libraryName = facesContext.getExternalContext() >>> .getRequestParameterMap().get("ln"); >>> >>> - if (libraryName != null && >>> !ResourceValidationUtils.isValidLibraryName(libraryName, >>> isAllowSlashesLibraryName())) >>> + if (libraryName != null && >>> !ResourceValidationUtils.isValidLibraryName( >>> + libraryName, isAllowSlashesLibraryName())) >>> { >>> >>> httpServletResponse.setStatus(HttpServletResponse.SC_NOT_FOUND); >>> return; >>> @@ -559,7 +563,8 @@ public class ResourceHandlerImpl extends >>> >>> String pathToLib = null; >>> >>> - if (libraryName != null && >>> !ResourceValidationUtils.isValidLibraryName(libraryName, >>> isAllowSlashesLibraryName())) >>> + if (libraryName != null && >>> !ResourceValidationUtils.isValidLibraryName( >>> + libraryName, isAllowSlashesLibraryName())) >>> { >>> return false; >>> } >>> >>>
