[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699945#comment-16699945 ] cnsgithub commented on MYFACES-4266: [~tandraschko] Even though the code is more complicated now, the performance is indeed much better, good work! And the unit tests are still working... ;) > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698718#comment-16698718 ] Thomas Andraschko commented on MYFACES-4266: Commited something. Could you please review? > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698703#comment-16698703 ] Thomas Andraschko commented on MYFACES-4266: Improved the performance to almost the same performance, as without this changes. However, we should still try to avoid the new String if possible. Will work on it. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698679#comment-16698679 ] Thomas Andraschko commented on MYFACES-4266: Ok, the difference is really big for a simple case: {code:java} @Test public void testPerf() throws IOException { _contentCollector = new StringWriter(); _writer = createTestProbe(); for (int i = 0; i < 100; i++) { _writer.write("test"); } long start = System.currentTimeMillis(); _contentCollector = new StringWriter(); _writer = createTestProbe(); for (int i = 0; i < 100; i++) { _writer.write("test"); } long end = System.currentTimeMillis(); throw new RuntimeException((end - start) + "ms"); } {code} It doesn't come from the "new String()", you can just comment it. If i remove the "cloneWIthWriter", the performance is much better. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698669#comment-16698669 ] Thomas Andraschko commented on MYFACES-4266: Not sure if we have something in generell. Leo has a benchmark project which was used by: [http://content.jsfcentral.com/c/journal/view_article_content?cmd=view=35702=73398=1.8#.WzOTy4pCS70] the source should be on github. It's actually really critical as we always create new strings, also if no changes are required. A simple InputText component from PrimeFaces could even call it ~100(?) times probably. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698653#comment-16698653 ] cnsgithub commented on MYFACES-4266: Can you tell me what is the default procedure for performance testing in myfaces? Do you have something like JUnitPerf in place so we could compare to previous values? I absolutely agree that it is a critical part, however it's not an option to continue without filtering illegal characters anyway. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698650#comment-16698650 ] Thomas Andraschko commented on MYFACES-4266: I didn't till now but we have 2 options to optimize: 1) make the security fix configurable 2) check the chars and only re-create it when there is really an invalid char WDYT? > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698645#comment-16698645 ] Bernd Bohmann commented on MYFACES-4266: Did someone test the performance impact of this new String? > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698646#comment-16698646 ] Bernd Bohmann commented on MYFACES-4266: This is a really critical part. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT > > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698623#comment-16698623 ] Thomas Andraschko commented on MYFACES-4266: Thanks for the great PR [~cnsgithub]. I will merge it to the other branches now. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698621#comment-16698621 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko closed pull request #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java b/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java index 0566f9998..a29529132 100644 --- a/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java +++ b/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java @@ -29,6 +29,7 @@ import javax.faces.context.ResponseWriter; import org.apache.myfaces.util.CDataEndEscapeFilterWriter; +import org.apache.myfaces.util.IllegalXmlCharacterFilterWriter; /** * @@ -110,7 +111,7 @@ public void setDoubleBuffer(Writer doubleBuffer) public PartialResponseWriterImpl(ResponseWriter writer) { -super(writer); +super(writer.cloneWithWriter(new IllegalXmlCharacterFilterWriter(writer))); } @Override @@ -129,7 +130,7 @@ public void startCDATA() throws IOException private void openDoubleBuffer() { -_doubleBuffer = new CDataEndEscapeFilterWriter(_cdataDoubleBufferWriter == null ? +_doubleBuffer = new CDataEndEscapeFilterWriter(_cdataDoubleBufferWriter == null ? this.getWrapped() : _cdataDoubleBufferWriter ); _cdataDoubleBufferWriter = getWrapped().cloneWithWriter(_doubleBuffer); diff --git a/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java b/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java new file mode 100644 index 0..05830c82e --- /dev/null +++ b/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java @@ -0,0 +1,84 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.myfaces.util; + +import java.io.FilterWriter; +import java.io.IOException; +import java.io.Writer; + +/** + * There are unicodes outside the ranges defined in the https://www.w3.org/TR/REC-xml/#charsets;>XML 1.0 specification that break XML parsers + * and therefore must be filtered out when writing partial responses. Otherwise this may lead to Denial of Service attacks. + * @see https://issues.apache.org/jira/browse/MYFACES-4266 + */ +public class IllegalXmlCharacterFilterWriter extends FilterWriter +{ +public IllegalXmlCharacterFilterWriter(Writer out) +{ +super(out); +} + +@Override +public void write(int c) throws IOException +{ +super.write(xmlEncode((char) c)); +} + +@Override +public void write(char[] cbuf, int off, int len) throws IOException +{ +super.write(xmlEncode(cbuf), off, len); +} + +@Override +public void write(String str, int off, int len) throws IOException +{ +super.write(new String(xmlEncode(str.toCharArray())), off, len); +} + +private char[] xmlEncode(char[] ca) +{ +for (int i = 0; i < ca.length; i++) +{ +ca[i] = xmlEncode(ca[i]); +} +return ca; +} + +private char xmlEncode(char c) +{ +if (Character.isSurrogate(c)) +{ +return ' '; +} +if (c == '\u0009' || c == '\n' || c == '\r') +{ +return c; +} +if (c > '\u0020' && c < '\uD7FF') +{ +return c; +} +if (c > '\uE000' && c < '\uFFFD') +{ +return c; +} +return ' '; +} +} diff --git a/impl/src/test/java/org/apache/myfaces/context/PartialResponseWriterImplTest.java
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698501#comment-16698501 ] ASF GitHub Bot commented on MYFACES-4266: - cnsgithub edited a comment on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441527197 > 1. all right, it would be just cool if we would have some more tests which also covers other #write methods or even writeAttribute - but not required Provided another test for `writeAttribute`. > 2. Oh, really sorry - thats my fault because of a too fast review. I thought that you would wrap a simple char with a string now. >I would just do: > > ` @Override public void write(String str, int off, int len) throws IOException { super.write(new String(xmlEncode(str.toCharArray())), off, len); }` Done. > I just wonder if we should replace the invalid char by a blank instead of empty? Not sure... Also considered this. However, it would complicate things since array lengths might change then. When looking at OWASP's encoder you'll find they also replace illegal characters by spaces. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698499#comment-16698499 ] ASF GitHub Bot commented on MYFACES-4266: - cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441527197 > 1. all right, it would be just cool if we would have some more tests which also covers other #write methods or even writeAttribute - but not required Provided another test for `writeAttribute`. > 2. Oh, really sorry - thats my fault because of a too fast review. I thought that you would wrap a simple char with a string now. >I would just do: > > ` @Override public void write(String str, int off, int len) throws IOException { super.write(new String(xmlEncode(str.toCharArray())), off, len); }` Done. > I just wonder if we should replace the invalid char by a blank instead of empty? Not sure... Also considered this. However, it would complicate things since array lengths might change then. When looking at OWASP's encoder you'll find they're also replacing illegal characters by spaces. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698329#comment-16698329 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441476483 1) all right, it would be just cool if we would have some more tests which also covers other #write methods or even writeAttribute - but not required 2) Oh, really sorry - thats my fault because of a too fast review. I thought that you would wrap a simple char with a string now. I would just do: `@Override public void write(String str, int off, int len) throws IOException { super.write(new String(xmlEncode(str.toCharArray())), off, len); }` I just wonder if we should replace the invalid char by a blank instead of empty? Not sure... This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698244#comment-16698244 ] ASF GitHub Bot commented on MYFACES-4266: - cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441461685 > 1. I think we should overwrite all #write methods, to cover 100% all cases?! Probably also writeText? I think the remaining `writeXXX` methods operate on a higher abstraction level and internally call the low level methods like the ones that have already been overridden. The provided unit test is already testing `writeText` to verify this assumption. > 2. all #write methods should call the same super.write - currently the write(String) calls super.write(char[]) to avoid confusion (and maybe but unlikely bugs) I am a bit confused as this statement seems to be in contrast to what you have written in your first review. Afterwards I changed the behavior in https://github.com/apache/myfaces/pull/27/commits/c89e67fd1f5c9456f53f3a3c13b5123da510b632 to fit your requirement. > JFYI: you can also use a for-each loop when looping over arrays, we just avoid it on ArrayLists, to avoid a iterator instance (ArrayLists are used for component lists e.g. and the component tree is traversed very often) Ok, good to know. However, in this special case it's probably necessary to have a counter since we don't want to copy the array, instead we want to modify the contents of the existing array. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696530#comment-16696530 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441182397 cool :D I'm a just a bit unsure... The current version will work but maybe it's a bit "unattractive". 1) I think we should overwrite all #write methods, to cover 100% all cases?! Probably also writeText? 2) all #write methods should call the same super.write - currently the write(String) calls super.write(char[]) to avoid confusion (and maybe but unlikely bugs) JFYI: you can also use a for-each loop when looping over arrays, we just avoid it on ArrayLists, to avoid a iterator instance (ArrayLists are used for component lists e.g. and the component tree is traversed very often) This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696446#comment-16696446 ] ASF GitHub Bot commented on MYFACES-4266: - cnsgithub edited a comment on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441158458 > Of course - but this methods uses char and char[]: > > ``` > public void write(int c) throws IOException > public void write(char[] cbuf, int off, int len) throws IOException > ``` > There is no need to wrap it by a string Sorry, I don't see any problem here since `xmlEncode` has been overloaded three times to fit all `write` variations, i.e. `write(char[],int,in) `is using `xmlEncode(char[])`, `write(int) `is using `xmlEncode(char)` and just `write(String,off,len) `is using `xmlEncode(String)`. Edit: @tandraschko Okay, now I see, just added another commit. :wink: This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696388#comment-16696388 ] ASF GitHub Bot commented on MYFACES-4266: - cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441158458 > Of course - but this methods uses char and char[]: > > ``` > public void write(int c) throws IOException > public void write(char[] cbuf, int off, int len) throws IOException > ``` > There is no need to wrap it by a string Sorry, I don't see any problem here since `xmlEncode` has been overloaded three times to fit all `write` variations, i.e. `write(char[],int,in) `is using `xmlEncode(char[])`, `write(int) `is using `xmlEncode(char)` and just `write(String,off,len) `is using `xmlEncode(String)`. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696021#comment-16696021 ] ASF GitHub Bot commented on MYFACES-4266: - melloware commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441063132 Ahh I see what you mean just override those write methods and process each char. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695991#comment-16695991 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441056944 Of course - but this methods uses char and char[]: public void write(int c) throws IOException public void write(char[] cbuf, int off, int len) throws IOException There is no neead to wrap it by a string This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695992#comment-16695992 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko edited a comment on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441056944 Of course - but this methods uses char and char[]: public void write(int c) throws IOException public void write(char[] cbuf, int off, int len) throws IOException There is no need to wrap it by a string This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695983#comment-16695983 ] ASF GitHub Bot commented on MYFACES-4266: - melloware commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441055497 @tandraschko I think since Strings are immutable you will have no choice but to create a new String but I could be wrong. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695954#comment-16695954 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko edited a comment on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441049008 thanks, really appreciate new contributors! i just wonder if we could implement it without always creating a new String? (we could just loop the char array) In MyFaces we are very performance "sensitiv" ;) WDYT @pnicolucci @ebreijo ? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695953#comment-16695953 ] ASF GitHub Bot commented on MYFACES-4266: - tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to invalid characters in response XML (DoS) URL: https://github.com/apache/myfaces/pull/27#issuecomment-441049008 thanks, really appreciate new contributors! i just wonder if we could implement it without always creating a new String? In MyFaces we are very performance "sensitiv" ;) WDYT @pnicolucci @ebreijo ? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695940#comment-16695940 ] Werner Punz commented on MYFACES-4266: -- @tandraschko, how do you wanna address this? I guess a server side filter is a safer bet. Basically the client code just gets the cdata out and uses innerHTML to push the update in. I could prefilter the cdata for illegal chars on the client as well, but I am not sure if this is the proper way to go here. > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[ https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695920#comment-16695920 ] ASF GitHub Bot commented on MYFACES-4266: - cnsgithub opened a new pull request #27: fixes https://issues.apache.org/jira/browse/MYFACES-4266 URL: https://github.com/apache/myfaces/pull/27 Fixes - https://issues.apache.org/jira/browse/MYFACES-4266 Related to - https://github.com/primefaces/primefaces/issues/3875 @tandraschko Could you please check that? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Ajax update fails due to invalid characters in response XML (DoS) > - > > Key: MYFACES-4266 > URL: https://issues.apache.org/jira/browse/MYFACES-4266 > Project: MyFaces Core > Issue Type: Bug >Affects Versions: 2.3.2 > Environment: jetty 9.4.14.v20181114 > JDK 10 >Reporter: cnsgithub >Priority: Major > > I noticed that the {{}} update fails when the updated form contains > unicode characters, which are not allowed in the [XML 1.0 > spec|https://www.w3.org/TR/REC-xml/#charsets]. > h2. Expected Behaviour > If the update response contains characters that are not allowed in XML, they > should be filtered by MyFaces before writing the response. > h2. Actual Behaviour > Some illegal XML characters are not filtered and therefore the browser fails > to parse the response. > h2. Steps to reproduce > I created a small github project to reproduce this behaviour: > [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces) > To reproduce: > - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}} > - {{git checkout myfaces}} > - run {{mvn clean package jetty:run}} > - after the server has started, open [http://localhost:8080/index.xhtml] > - Click the button, the error should occur > The issue also occurs with user supplied inputs: > - open [http://localhost:8080/input.xhtml] > - Paste the characters from the {{illegal-xml-chars.txt}} file into the > input field > - Click the button > This issue should be addressed with high priority since it is security > related (might be exploited for Denial of Service). -- This message was sent by Atlassian JIRA (v7.6.3#76005)