[jira] [Commented] (DELTASPIKE-1071) URLs like ?&dswid=XYZ lead to window cloning
[
https://issues.apache.org/jira/browse/DELTASPIKE-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15136541#comment-15136541
]
Sean Flanigan commented on DELTASPIKE-1071:
---
I tried changing AmpersandFilter to throw away everything after "{{&}}", and
the cloning problem went away.
It turns out that the window cloning only happens if the filter somehow treats
everything after "{{&}}" as being parameters, instead of after "{{?}}" the way
it should be. The mismatch between client and server-side interpretations of
the URL (eg by a misconfigured UrlRewriteFilter) is what triggers the problem,
because the filter effectively causes the server to use a non-standard
interpretation, whereas the client uses the standard interpretation.
So, if you're using something like Tuckey UrlRewriteFilter with DeltaSpike, be
sure you don't accidentally interpret part of the URL *path* as *query*
parameters (perhaps by putting them after "{{?}}" in your "to" replacement), or
you could trigger window cloning.
(Personally, I'm hoping the OCPsoft URL-Rewriting Framework will be a safer
option for my URL rewriting needs.)
If I could think of a succinct warning for the above, I might suggest a pull
request for the documentation.
> URLs like ?&dswid=XYZ lead to window cloning
>
>
> Key: DELTASPIKE-1071
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1071
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module
>Affects Versions: 1.5.1, 1.5.2
>Reporter: Sean Flanigan
>Assignee: Thomas Andraschko
> Fix For: 1.5.3
>
> Attachments: AmpersandFilter.java
>
>
> Using default window mode on Chrome (equates to LAZY?), if a clickable URL
> ends in {{?&dswid=XYZ}}, opening that link in a new tab clones the old tab's
> {{window.name}} and {{dswid}}, instead of generating a new id.
> I had this (very confusing) problem in my application when a urlrewrite
> outbound-rule accidentally used {{&dswid=XYZ}} instead of {{?dswid=XYZ}}, but
> for simple applications it is easiest to reproduce like this:
> 1. visit a page URL which ends with {{?dswid=XYZ}}
> 2. use the javascript console to check {{window.name}}
> 3. edit the URL so that it ends with {{?&dswid=XYZ}}
> 4. paste the edited URL into a fresh browser tab (where {{window.name}} is
> empty)
> 5. use the javascript console to check {{window.name}} for the new tab
> Both tabs have the same {{window.name}}, which leads to all window-based
> scopes in the session being shared for future requests in the affected tabs.
> I haven't dug into the code too closely, but I suspect {{windowhandler.js}}
> is setting {{window.name}} when it sees {{&dswid}} in the URL, instead of
> triggering a lazy redirect as I think it should.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (DELTASPIKE-1071) URLs like ?&dswid=XYZ lead to window cloning
[
https://issues.apache.org/jira/browse/DELTASPIKE-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15136536#comment-15136536
]
Sean Flanigan commented on DELTASPIKE-1071:
---
Yes that should work. See https://issues.apache.org/jira/browse/DELTASPIKE-1074
> URLs like ?&dswid=XYZ lead to window cloning
>
>
> Key: DELTASPIKE-1071
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1071
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module
>Affects Versions: 1.5.1, 1.5.2
>Reporter: Sean Flanigan
>Assignee: Thomas Andraschko
> Fix For: 1.5.3
>
> Attachments: AmpersandFilter.java
>
>
> Using default window mode on Chrome (equates to LAZY?), if a clickable URL
> ends in {{?&dswid=XYZ}}, opening that link in a new tab clones the old tab's
> {{window.name}} and {{dswid}}, instead of generating a new id.
> I had this (very confusing) problem in my application when a urlrewrite
> outbound-rule accidentally used {{&dswid=XYZ}} instead of {{?dswid=XYZ}}, but
> for simple applications it is easiest to reproduce like this:
> 1. visit a page URL which ends with {{?dswid=XYZ}}
> 2. use the javascript console to check {{window.name}}
> 3. edit the URL so that it ends with {{?&dswid=XYZ}}
> 4. paste the edited URL into a fresh browser tab (where {{window.name}} is
> empty)
> 5. use the javascript console to check {{window.name}} for the new tab
> Both tabs have the same {{window.name}}, which leads to all window-based
> scopes in the session being shared for future requests in the affected tabs.
> I haven't dug into the code too closely, but I suspect {{windowhandler.js}}
> is setting {{window.name}} when it sees {{&dswid}} in the URL, instead of
> triggering a lazy redirect as I think it should.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Created] (DELTASPIKE-1074) Potential problem in setUrlParam() (windowhandler.js)
Sean Flanigan created DELTASPIKE-1074:
-
Summary: Potential problem in setUrlParam() (windowhandler.js)
Key: DELTASPIKE-1074
URL: https://issues.apache.org/jira/browse/DELTASPIKE-1074
Project: DeltaSpike
Issue Type: Bug
Components: JSF-Module
Affects Versions: 1.5.3
Reporter: Sean Flanigan
I noticed a potential problem with the URI manipulation while reviewing
https://github.com/apache/deltaspike/commit/323c7d38e9d949385eb9d90c47e8971548ab5ed4
:
> {{a.href = uri.replace('?&', '?').replace('&&', '&');}}
I think it's only safe to coalesce multiple '&'s in the query part (after '?),
not in the path path (before '?'). In the path part, '&'s are just characters,
not parameter delimiters.
Also, it's possible that the URI could be like this:
{{?&&&dswid=1234&&&}}
with more than two ampersands in a row, perhaps at the beginning of the query
string.
(Attn: [~tandraschko])
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
Re: [VOTE] Release of Apache DeltaSpike 1.5.3
+1 On Fri, Feb 5, 2016 at 6:01 AM, Gerhard Petracek wrote: > Hi, > > I was running the needed tasks to get the 22th release of Apache DeltaSpike > out. > The artifacts are deployed to Nexus [1] (and [2]). > > The tag is available at [3] and the release-branch at [4]. > They will get pushed to the ASF repository once the vote passed. > > Please take a look at the 1.5.3 artifacts and vote! > > Please note: > This vote is "majority approval" with a minimum of three +1 votes (see [5]). > > > [ ] +1 for community members who have reviewed the bits > [ ] +0 > [ ] -1 for fatal flaws that should cause these bits not to be released, and > why.. > > > Thanks, > Gerhard > > [1] > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/ > [2] > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/org/apache/deltaspike/deltaspike/1.5.3/deltaspike-1.5.3-source-release.zip > [3] https://github.com/os890/deltaspike-vote/tree/deltaspike-1.5.3 > [4] https://github.com/os890/deltaspike-vote/tree/ds-1.5.3 > [5] http://www.apache.org/foundation/voting.html#ReleaseVotes
Re: [VOTE] Release of Apache DeltaSpike 1.5.3
+1 On Fri, Feb 5, 2016 at 8:01 AM Gerhard Petracek wrote: > Hi, > > I was running the needed tasks to get the 22th release of Apache DeltaSpike > out. > The artifacts are deployed to Nexus [1] (and [2]). > > The tag is available at [3] and the release-branch at [4]. > They will get pushed to the ASF repository once the vote passed. > > Please take a look at the 1.5.3 artifacts and vote! > > Please note: > This vote is "majority approval" with a minimum of three +1 votes (see > [5]). > > > [ ] +1 for community members who have reviewed the bits > [ ] +0 > [ ] -1 for fatal flaws that should cause these bits not to be released, and > why.. > > > Thanks, > Gerhard > > [1] > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/ > [2] > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/org/apache/deltaspike/deltaspike/1.5.3/deltaspike-1.5.3-source-release.zip > [3] https://github.com/os890/deltaspike-vote/tree/deltaspike-1.5.3 > [4] https://github.com/os890/deltaspike-vote/tree/ds-1.5.3 > [5] http://www.apache.org/foundation/voting.html#ReleaseVotes >
Re: [VOTE] Release of Apache DeltaSpike 1.5.3
+1 Le 6 févr. 2016 16:36, "Christian Kaltepoth" a écrit : > +1 > > 2016-02-06 16:19 GMT+01:00 Jason Porter : > > > +1 > > > > On Saturday, February 6, 2016, Thomas Andraschko < > > andraschko.tho...@gmail.com> wrote: > > > > > +1 > > > > > > 2016-02-05 14:01 GMT+01:00 Gerhard Petracek > > >: > > > > > > > Hi, > > > > > > > > I was running the needed tasks to get the 22th release of Apache > > > DeltaSpike > > > > out. > > > > The artifacts are deployed to Nexus [1] (and [2]). > > > > > > > > The tag is available at [3] and the release-branch at [4]. > > > > They will get pushed to the ASF repository once the vote passed. > > > > > > > > Please take a look at the 1.5.3 artifacts and vote! > > > > > > > > Please note: > > > > This vote is "majority approval" with a minimum of three +1 votes > (see > > > > [5]). > > > > > > > > > > > > [ ] +1 for community members who have reviewed the bits > > > > [ ] +0 > > > > [ ] -1 for fatal flaws that should cause these bits not to be > released, > > > and > > > > why.. > > > > > > > > > > > > Thanks, > > > > Gerhard > > > > > > > > [1] > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/ > > > > [2] > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/org/apache/deltaspike/deltaspike/1.5.3/deltaspike-1.5.3-source-release.zip > > > > [3] https://github.com/os890/deltaspike-vote/tree/deltaspike-1.5.3 > > > > [4] https://github.com/os890/deltaspike-vote/tree/ds-1.5.3 > > > > [5] http://www.apache.org/foundation/voting.html#ReleaseVotes > > > > > > > > > > > > > -- > > Sent from Gmail Mobile > > > > > > -- > Christian Kaltepoth > Blog: http://blog.kaltepoth.de/ > Twitter: http://twitter.com/chkal > GitHub: https://github.com/chkal >
