Colm O hEigeartaigh created CXF-7702:
----------------------------------------
Summary: Remove methods in QueryContext that don't use a custom
bean class
Key: CXF-7702
URL: https://issues.apache.org/jira/browse/CXF-7702
Project: CXF
Issue Type: Improvement
Reporter: Colm O hEigeartaigh
Assignee: Colm O hEigeartaigh
Fix For: 3.2.5
The JAX-RS search QueryContext has some methods to return the converted search
expression that don't take a bean parameter. This means that it's possible to
inject parameters into the search query that are not defined as properties in
the bean class, leading to potential injection attacks. Instead all methods
should require a bean, similar to the SearchContext.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
