[jira] [Commented] (DELTASPIKE-1071) URLs like ?&dswid=XYZ lead to window cloning
[ https://issues.apache.org/jira/browse/DELTASPIKE-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15136541#comment-15136541 ] Sean Flanigan commented on DELTASPIKE-1071: --- I tried changing AmpersandFilter to throw away everything after "{{&}}", and the cloning problem went away. It turns out that the window cloning only happens if the filter somehow treats everything after "{{&}}" as being parameters, instead of after "{{?}}" the way it should be. The mismatch between client and server-side interpretations of the URL (eg by a misconfigured UrlRewriteFilter) is what triggers the problem, because the filter effectively causes the server to use a non-standard interpretation, whereas the client uses the standard interpretation. So, if you're using something like Tuckey UrlRewriteFilter with DeltaSpike, be sure you don't accidentally interpret part of the URL *path* as *query* parameters (perhaps by putting them after "{{?}}" in your "to" replacement), or you could trigger window cloning. (Personally, I'm hoping the OCPsoft URL-Rewriting Framework will be a safer option for my URL rewriting needs.) If I could think of a succinct warning for the above, I might suggest a pull request for the documentation. > URLs like ?&dswid=XYZ lead to window cloning > > > Key: DELTASPIKE-1071 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1071 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.5.1, 1.5.2 >Reporter: Sean Flanigan >Assignee: Thomas Andraschko > Fix For: 1.5.3 > > Attachments: AmpersandFilter.java > > > Using default window mode on Chrome (equates to LAZY?), if a clickable URL > ends in {{?&dswid=XYZ}}, opening that link in a new tab clones the old tab's > {{window.name}} and {{dswid}}, instead of generating a new id. > I had this (very confusing) problem in my application when a urlrewrite > outbound-rule accidentally used {{&dswid=XYZ}} instead of {{?dswid=XYZ}}, but > for simple applications it is easiest to reproduce like this: > 1. visit a page URL which ends with {{?dswid=XYZ}} > 2. use the javascript console to check {{window.name}} > 3. edit the URL so that it ends with {{?&dswid=XYZ}} > 4. paste the edited URL into a fresh browser tab (where {{window.name}} is > empty) > 5. use the javascript console to check {{window.name}} for the new tab > Both tabs have the same {{window.name}}, which leads to all window-based > scopes in the session being shared for future requests in the affected tabs. > I haven't dug into the code too closely, but I suspect {{windowhandler.js}} > is setting {{window.name}} when it sees {{&dswid}} in the URL, instead of > triggering a lazy redirect as I think it should. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (DELTASPIKE-1071) URLs like ?&dswid=XYZ lead to window cloning
[ https://issues.apache.org/jira/browse/DELTASPIKE-1071?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15136536#comment-15136536 ] Sean Flanigan commented on DELTASPIKE-1071: --- Yes that should work. See https://issues.apache.org/jira/browse/DELTASPIKE-1074 > URLs like ?&dswid=XYZ lead to window cloning > > > Key: DELTASPIKE-1071 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1071 > Project: DeltaSpike > Issue Type: Bug > Components: JSF-Module >Affects Versions: 1.5.1, 1.5.2 >Reporter: Sean Flanigan >Assignee: Thomas Andraschko > Fix For: 1.5.3 > > Attachments: AmpersandFilter.java > > > Using default window mode on Chrome (equates to LAZY?), if a clickable URL > ends in {{?&dswid=XYZ}}, opening that link in a new tab clones the old tab's > {{window.name}} and {{dswid}}, instead of generating a new id. > I had this (very confusing) problem in my application when a urlrewrite > outbound-rule accidentally used {{&dswid=XYZ}} instead of {{?dswid=XYZ}}, but > for simple applications it is easiest to reproduce like this: > 1. visit a page URL which ends with {{?dswid=XYZ}} > 2. use the javascript console to check {{window.name}} > 3. edit the URL so that it ends with {{?&dswid=XYZ}} > 4. paste the edited URL into a fresh browser tab (where {{window.name}} is > empty) > 5. use the javascript console to check {{window.name}} for the new tab > Both tabs have the same {{window.name}}, which leads to all window-based > scopes in the session being shared for future requests in the affected tabs. > I haven't dug into the code too closely, but I suspect {{windowhandler.js}} > is setting {{window.name}} when it sees {{&dswid}} in the URL, instead of > triggering a lazy redirect as I think it should. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Created] (DELTASPIKE-1074) Potential problem in setUrlParam() (windowhandler.js)
Sean Flanigan created DELTASPIKE-1074: - Summary: Potential problem in setUrlParam() (windowhandler.js) Key: DELTASPIKE-1074 URL: https://issues.apache.org/jira/browse/DELTASPIKE-1074 Project: DeltaSpike Issue Type: Bug Components: JSF-Module Affects Versions: 1.5.3 Reporter: Sean Flanigan I noticed a potential problem with the URI manipulation while reviewing https://github.com/apache/deltaspike/commit/323c7d38e9d949385eb9d90c47e8971548ab5ed4 : > {{a.href = uri.replace('?&', '?').replace('&&', '&');}} I think it's only safe to coalesce multiple '&'s in the query part (after '?), not in the path path (before '?'). In the path part, '&'s are just characters, not parameter delimiters. Also, it's possible that the URI could be like this: {{?&&&dswid=1234&&&}} with more than two ampersands in a row, perhaps at the beginning of the query string. (Attn: [~tandraschko]) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
Re: [VOTE] Release of Apache DeltaSpike 1.5.3
+1 On Fri, Feb 5, 2016 at 6:01 AM, Gerhard Petracek wrote: > Hi, > > I was running the needed tasks to get the 22th release of Apache DeltaSpike > out. > The artifacts are deployed to Nexus [1] (and [2]). > > The tag is available at [3] and the release-branch at [4]. > They will get pushed to the ASF repository once the vote passed. > > Please take a look at the 1.5.3 artifacts and vote! > > Please note: > This vote is "majority approval" with a minimum of three +1 votes (see [5]). > > > [ ] +1 for community members who have reviewed the bits > [ ] +0 > [ ] -1 for fatal flaws that should cause these bits not to be released, and > why.. > > > Thanks, > Gerhard > > [1] > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/ > [2] > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/org/apache/deltaspike/deltaspike/1.5.3/deltaspike-1.5.3-source-release.zip > [3] https://github.com/os890/deltaspike-vote/tree/deltaspike-1.5.3 > [4] https://github.com/os890/deltaspike-vote/tree/ds-1.5.3 > [5] http://www.apache.org/foundation/voting.html#ReleaseVotes
Re: [VOTE] Release of Apache DeltaSpike 1.5.3
+1 On Fri, Feb 5, 2016 at 8:01 AM Gerhard Petracek wrote: > Hi, > > I was running the needed tasks to get the 22th release of Apache DeltaSpike > out. > The artifacts are deployed to Nexus [1] (and [2]). > > The tag is available at [3] and the release-branch at [4]. > They will get pushed to the ASF repository once the vote passed. > > Please take a look at the 1.5.3 artifacts and vote! > > Please note: > This vote is "majority approval" with a minimum of three +1 votes (see > [5]). > > > [ ] +1 for community members who have reviewed the bits > [ ] +0 > [ ] -1 for fatal flaws that should cause these bits not to be released, and > why.. > > > Thanks, > Gerhard > > [1] > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/ > [2] > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/org/apache/deltaspike/deltaspike/1.5.3/deltaspike-1.5.3-source-release.zip > [3] https://github.com/os890/deltaspike-vote/tree/deltaspike-1.5.3 > [4] https://github.com/os890/deltaspike-vote/tree/ds-1.5.3 > [5] http://www.apache.org/foundation/voting.html#ReleaseVotes >
Re: [VOTE] Release of Apache DeltaSpike 1.5.3
+1 Le 6 févr. 2016 16:36, "Christian Kaltepoth" a écrit : > +1 > > 2016-02-06 16:19 GMT+01:00 Jason Porter : > > > +1 > > > > On Saturday, February 6, 2016, Thomas Andraschko < > > andraschko.tho...@gmail.com> wrote: > > > > > +1 > > > > > > 2016-02-05 14:01 GMT+01:00 Gerhard Petracek > > >: > > > > > > > Hi, > > > > > > > > I was running the needed tasks to get the 22th release of Apache > > > DeltaSpike > > > > out. > > > > The artifacts are deployed to Nexus [1] (and [2]). > > > > > > > > The tag is available at [3] and the release-branch at [4]. > > > > They will get pushed to the ASF repository once the vote passed. > > > > > > > > Please take a look at the 1.5.3 artifacts and vote! > > > > > > > > Please note: > > > > This vote is "majority approval" with a minimum of three +1 votes > (see > > > > [5]). > > > > > > > > > > > > [ ] +1 for community members who have reviewed the bits > > > > [ ] +0 > > > > [ ] -1 for fatal flaws that should cause these bits not to be > released, > > > and > > > > why.. > > > > > > > > > > > > Thanks, > > > > Gerhard > > > > > > > > [1] > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/ > > > > [2] > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachedeltaspike-1032/org/apache/deltaspike/deltaspike/1.5.3/deltaspike-1.5.3-source-release.zip > > > > [3] https://github.com/os890/deltaspike-vote/tree/deltaspike-1.5.3 > > > > [4] https://github.com/os890/deltaspike-vote/tree/ds-1.5.3 > > > > [5] http://www.apache.org/foundation/voting.html#ReleaseVotes > > > > > > > > > > > > > -- > > Sent from Gmail Mobile > > > > > > -- > Christian Kaltepoth > Blog: http://blog.kaltepoth.de/ > Twitter: http://twitter.com/chkal > GitHub: https://github.com/chkal >