Field value from previous request is recycled when field is absent in new
request
---------------------------------------------------------------------------------
Key: CXF-3390
URL: https://issues.apache.org/jira/browse/CXF-3390
Project: CXF
Issue Type: Bug
Components: JAX-RS
Affects Versions: 2.4
Reporter: Ben Noordhuis
Priority: Critical
This was tested against 2.3.1 and HEAD.
Consider this class:
{code}
@Path("/test")
public class Test {
@QueryParam("q") private String q;
@GET
public void test() {
System.err.println(q);
}
}
{code}
Now consider this test case:
{noformat}
$ curl http://localhost:8080/test # prints "null"
$ curl http://localhost:8080/test?q=foo # prints "foo"
$ curl http://localhost:8080/test # prints "foo" !
{noformat}
This is a serious bug because it leaks information. It's not specific to
@QueryParam, the other annotations have the same problem.
I discovered it in a resource that is used for authentication: after logging in
once, I could log in again without providing a username and password!
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
