[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)

Mon, 26 Nov 2018 01:36:16 -0800 


    [ 
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16698679#comment-16698679
 ] 

Thomas Andraschko commented on MYFACES-4266:
--------------------------------------------

Ok, the difference is really big for a simple case:



{code:java}
    @Test
    public void testPerf() throws IOException {
        
        _contentCollector = new StringWriter();
        _writer = createTestProbe();
        for (int i = 0; i < 1000000; i++)
        {
            _writer.write("test");
        }
        
        long start = System.currentTimeMillis();
        _contentCollector = new StringWriter();
        _writer = createTestProbe();
        for (int i = 0; i < 1000000; i++)
        {
            _writer.write("test");
        }
        long end = System.currentTimeMillis();
        throw new RuntimeException((end - start) + "ms");
    }
{code}

It doesn't come from the "new String()", you can just comment it. 
If i remove the "cloneWIthWriter", the performance is much better.

> Ajax update fails due to invalid characters in response XML (DoS)
> -----------------------------------------------------------------
>
>                 Key: MYFACES-4266
>                 URL: https://issues.apache.org/jira/browse/MYFACES-4266
>             Project: MyFaces Core
>          Issue Type: Bug
>    Affects Versions: 2.3.2
>         Environment: jetty 9.4.14.v20181114
> JDK 10
>            Reporter: cnsgithub
>            Priority: Major
>             Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{<f:ajax />}} update fails when the updated form contains 
> unicode characters, which are not allowed in the [XML 1.0 
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they 
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails 
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour: 
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
>  To reproduce:
>  - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
>  - {{git checkout myfaces}}
>  - run {{mvn clean package jetty:run}}
>  - after the server has started, open [http://localhost:8080/index.xhtml]
>  - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
>  - open [http://localhost:8080/input.xhtml]
>  - Paste the characters from the {{illegal-xml-chars.txt}} file into the 
> input field
>  - Click the button
> This issue should be addressed with high priority since it is security 
> related (might be exploited for Denial of Service).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to