[
https://issues.apache.org/jira/browse/CXF-3390?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp updated CXF-3390:
-----------------------------
Fix Version/s: 2.4
> Field value from previous request is recycled when field is absent in new
> request
> ---------------------------------------------------------------------------------
>
> Key: CXF-3390
> URL: https://issues.apache.org/jira/browse/CXF-3390
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS
> Affects Versions: 2.4
> Reporter: Ben Noordhuis
> Assignee: Sergey Beryozkin
> Priority: Critical
> Fix For: 2.4
>
>
> This was tested against 2.3.1 and HEAD.
> Consider this class:
> {code}
> @Path("/test")
> public class Test {
> @QueryParam("q") private String q;
> @GET
> public void test() {
> System.err.println(q);
> }
> }
> {code}
> Now consider this test case:
> {noformat}
> $ curl http://localhost:8080/test # prints "null"
> $ curl http://localhost:8080/test?q=foo # prints "foo"
> $ curl http://localhost:8080/test # prints "foo" !
> {noformat}
> This is a serious bug because it leaks information. It's not specific to
> @QueryParam, the other annotations have the same problem.
> I discovered it in a resource that is used for authentication: after logging
> in once, I could log in again without providing a username and password!
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
