[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16699945#comment-16699945
]
cnsgithub commented on MYFACES-4266:
[~tandraschko] Even though the code is more complicated now, the performance is
indeed much better, good work! And the unit tests are still working... ;)
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698718#comment-16698718
]
Thomas Andraschko commented on MYFACES-4266:
Commited something. Could you please review?
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698703#comment-16698703
]
Thomas Andraschko commented on MYFACES-4266:
Improved the performance to almost the same performance, as without this
changes.
However, we should still try to avoid the new String if possible. Will work on
it.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698679#comment-16698679
]
Thomas Andraschko commented on MYFACES-4266:
Ok, the difference is really big for a simple case:
{code:java}
@Test
public void testPerf() throws IOException {
_contentCollector = new StringWriter();
_writer = createTestProbe();
for (int i = 0; i < 100; i++)
{
_writer.write("test");
}
long start = System.currentTimeMillis();
_contentCollector = new StringWriter();
_writer = createTestProbe();
for (int i = 0; i < 100; i++)
{
_writer.write("test");
}
long end = System.currentTimeMillis();
throw new RuntimeException((end - start) + "ms");
}
{code}
It doesn't come from the "new String()", you can just comment it.
If i remove the "cloneWIthWriter", the performance is much better.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698669#comment-16698669
]
Thomas Andraschko commented on MYFACES-4266:
Not sure if we have something in generell. Leo has a benchmark project which
was used by:
[http://content.jsfcentral.com/c/journal/view_article_content?cmd=view=35702=73398=1.8#.WzOTy4pCS70]
the source should be on github.
It's actually really critical as we always create new strings, also if no
changes are required.
A simple InputText component from PrimeFaces could even call it ~100(?) times
probably.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698653#comment-16698653
]
cnsgithub commented on MYFACES-4266:
Can you tell me what is the default procedure for performance testing in
myfaces? Do you have something like JUnitPerf in place so we could compare to
previous values? I absolutely agree that it is a critical part, however it's
not an option to continue without filtering illegal characters anyway.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698650#comment-16698650
]
Thomas Andraschko commented on MYFACES-4266:
I didn't till now but we have 2 options to optimize:
1) make the security fix configurable
2) check the chars and only re-create it when there is really an invalid char
WDYT?
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698645#comment-16698645
]
Bernd Bohmann commented on MYFACES-4266:
Did someone test the performance impact of this new String?
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698646#comment-16698646
]
Bernd Bohmann commented on MYFACES-4266:
This is a really critical part.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
> Fix For: 2.0.25, 2.1.19, 2.2.13, 2.3.3, 3.0.0-SNAPSHOT
>
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698623#comment-16698623
]
Thomas Andraschko commented on MYFACES-4266:
Thanks for the great PR [~cnsgithub]. I will merge it to the other branches now.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698621#comment-16698621
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko closed pull request #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git
a/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
b/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
index 0566f9998..a29529132 100644
---
a/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
+++
b/impl/src/main/java/org/apache/myfaces/context/PartialResponseWriterImpl.java
@@ -29,6 +29,7 @@
import javax.faces.context.ResponseWriter;
import org.apache.myfaces.util.CDataEndEscapeFilterWriter;
+import org.apache.myfaces.util.IllegalXmlCharacterFilterWriter;
/**
*
@@ -110,7 +111,7 @@ public void setDoubleBuffer(Writer doubleBuffer)
public PartialResponseWriterImpl(ResponseWriter writer)
{
-super(writer);
+super(writer.cloneWithWriter(new
IllegalXmlCharacterFilterWriter(writer)));
}
@Override
@@ -129,7 +130,7 @@ public void startCDATA() throws IOException
private void openDoubleBuffer()
{
-_doubleBuffer = new
CDataEndEscapeFilterWriter(_cdataDoubleBufferWriter == null ?
+_doubleBuffer = new
CDataEndEscapeFilterWriter(_cdataDoubleBufferWriter == null ?
this.getWrapped() : _cdataDoubleBufferWriter );
_cdataDoubleBufferWriter = getWrapped().cloneWithWriter(_doubleBuffer);
diff --git
a/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java
b/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java
new file mode 100644
index 0..05830c82e
--- /dev/null
+++
b/impl/src/main/java/org/apache/myfaces/util/IllegalXmlCharacterFilterWriter.java
@@ -0,0 +1,84 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.myfaces.util;
+
+import java.io.FilterWriter;
+import java.io.IOException;
+import java.io.Writer;
+
+/**
+ * There are unicodes outside the ranges defined in the https://www.w3.org/TR/REC-xml/#charsets;>XML 1.0 specification that
break XML parsers
+ * and therefore must be filtered out when writing partial responses.
Otherwise this may lead to Denial of Service attacks.
+ * @see https://issues.apache.org/jira/browse/MYFACES-4266
+ */
+public class IllegalXmlCharacterFilterWriter extends FilterWriter
+{
+public IllegalXmlCharacterFilterWriter(Writer out)
+{
+super(out);
+}
+
+@Override
+public void write(int c) throws IOException
+{
+super.write(xmlEncode((char) c));
+}
+
+@Override
+public void write(char[] cbuf, int off, int len) throws IOException
+{
+super.write(xmlEncode(cbuf), off, len);
+}
+
+@Override
+public void write(String str, int off, int len) throws IOException
+{
+super.write(new String(xmlEncode(str.toCharArray())), off, len);
+}
+
+private char[] xmlEncode(char[] ca)
+{
+for (int i = 0; i < ca.length; i++)
+{
+ca[i] = xmlEncode(ca[i]);
+}
+return ca;
+}
+
+private char xmlEncode(char c)
+{
+if (Character.isSurrogate(c))
+{
+return ' ';
+}
+if (c == '\u0009' || c == '\n' || c == '\r')
+{
+return c;
+}
+if (c > '\u0020' && c < '\uD7FF')
+{
+return c;
+}
+if (c > '\uE000' && c < '\uFFFD')
+{
+return c;
+}
+return ' ';
+}
+}
diff --git
a/impl/src/test/java/org/apache/myfaces/context/PartialResponseWriterImplTest.java
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698501#comment-16698501
]
ASF GitHub Bot commented on MYFACES-4266:
-
cnsgithub edited a comment on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441527197
> 1. all right, it would be just cool if we would have some more tests which
also covers other #write methods or even writeAttribute - but not required
Provided another test for `writeAttribute`.
> 2. Oh, really sorry - thats my fault because of a too fast review. I
thought that you would wrap a simple char with a string now.
>I would just do:
>
> ` @Override public void write(String str, int off, int len) throws
IOException { super.write(new String(xmlEncode(str.toCharArray())), off, len);
}`
Done.
> I just wonder if we should replace the invalid char by a blank instead of
empty? Not sure...
Also considered this. However, it would complicate things since array
lengths might change then. When looking at OWASP's encoder you'll find they
also replace illegal characters by spaces.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698499#comment-16698499
]
ASF GitHub Bot commented on MYFACES-4266:
-
cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441527197
> 1. all right, it would be just cool if we would have some more tests which
also covers other #write methods or even writeAttribute - but not required
Provided another test for `writeAttribute`.
> 2. Oh, really sorry - thats my fault because of a too fast review. I
thought that you would wrap a simple char with a string now.
>I would just do:
>
> ` @Override public void write(String str, int off, int len) throws
IOException { super.write(new String(xmlEncode(str.toCharArray())), off, len);
}`
Done.
> I just wonder if we should replace the invalid char by a blank instead of
empty? Not sure...
Also considered this. However, it would complicate things since array
lengths might change then. When looking at OWASP's encoder you'll find they're
also replacing illegal characters by spaces.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698329#comment-16698329
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441476483
1) all right, it would be just cool if we would have some more tests which
also covers other #write methods or even writeAttribute - but not required
2) Oh, really sorry - thats my fault because of a too fast review. I
thought that you would wrap a simple char with a string now.
I would just do:
`@Override
public void write(String str, int off, int len) throws IOException
{
super.write(new String(xmlEncode(str.toCharArray())), off, len);
}`
I just wonder if we should replace the invalid char by a blank instead of
empty? Not sure...
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16698244#comment-16698244
]
ASF GitHub Bot commented on MYFACES-4266:
-
cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441461685
> 1. I think we should overwrite all #write methods, to cover 100% all
cases?! Probably also writeText?
I think the remaining `writeXXX` methods operate on a higher abstraction
level and internally call the low level methods like the ones that have already
been overridden. The provided unit test is already testing `writeText` to
verify this assumption.
> 2. all #write methods should call the same super.write - currently the
write(String) calls super.write(char[]) to avoid confusion (and maybe but
unlikely bugs)
I am a bit confused as this statement seems to be in contrast to what you
have written in your first review. Afterwards I changed the behavior in
https://github.com/apache/myfaces/pull/27/commits/c89e67fd1f5c9456f53f3a3c13b5123da510b632
to fit your requirement.
> JFYI: you can also use a for-each loop when looping over arrays, we just
avoid it on ArrayLists, to avoid a iterator instance (ArrayLists are used for
component lists e.g. and the component tree is traversed very often)
Ok, good to know. However, in this special case it's probably necessary to
have a counter since we don't want to copy the array, instead we want to modify
the contents of the existing array.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696530#comment-16696530
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441182397
cool :D
I'm a just a bit unsure... The current version will work but maybe it's a
bit "unattractive".
1) I think we should overwrite all #write methods, to cover 100% all cases?!
Probably also writeText?
2) all #write methods should call the same super.write - currently the
write(String) calls super.write(char[]) to avoid confusion (and maybe but
unlikely bugs)
JFYI: you can also use a for-each loop when looping over arrays, we just
avoid it on ArrayLists, to avoid a iterator instance (ArrayLists are used for
component lists e.g. and the component tree is traversed very often)
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696446#comment-16696446
]
ASF GitHub Bot commented on MYFACES-4266:
-
cnsgithub edited a comment on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441158458
> Of course - but this methods uses char and char[]:
>
> ```
> public void write(int c) throws IOException
> public void write(char[] cbuf, int off, int len) throws IOException
> ```
> There is no need to wrap it by a string
Sorry, I don't see any problem here since `xmlEncode` has been overloaded
three times to fit all `write` variations, i.e. `write(char[],int,in) `is using
`xmlEncode(char[])`, `write(int) `is using `xmlEncode(char)` and just
`write(String,off,len) `is using `xmlEncode(String)`.
Edit: @tandraschko Okay, now I see, just added another commit. :wink:
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696388#comment-16696388
]
ASF GitHub Bot commented on MYFACES-4266:
-
cnsgithub commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441158458
> Of course - but this methods uses char and char[]:
>
> ```
> public void write(int c) throws IOException
> public void write(char[] cbuf, int off, int len) throws IOException
> ```
> There is no need to wrap it by a string
Sorry, I don't see any problem here since `xmlEncode` has been overloaded
three times to fit all `write` variations, i.e. `write(char[],int,in) `is using
`xmlEncode(char[])`, `write(int) `is using `xmlEncode(char)` and just
`write(String,off,len) `is using `xmlEncode(String)`.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16696021#comment-16696021
]
ASF GitHub Bot commented on MYFACES-4266:
-
melloware commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441063132
Ahh I see what you mean just override those write methods and process each
char.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695991#comment-16695991
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441056944
Of course - but this methods uses char and char[]:
public void write(int c) throws IOException
public void write(char[] cbuf, int off, int len) throws IOException
There is no neead to wrap it by a string
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695992#comment-16695992
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko edited a comment on issue #27: MYFACES-4266: Ajax update fails due
to invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441056944
Of course - but this methods uses char and char[]:
public void write(int c) throws IOException
public void write(char[] cbuf, int off, int len) throws IOException
There is no need to wrap it by a string
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695983#comment-16695983
]
ASF GitHub Bot commented on MYFACES-4266:
-
melloware commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441055497
@tandraschko I think since Strings are immutable you will have no choice but
to create a new String but I could be wrong.
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695954#comment-16695954
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko edited a comment on issue #27: MYFACES-4266: Ajax update fails due
to invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441049008
thanks, really appreciate new contributors!
i just wonder if we could implement it without always creating a new String?
(we could just loop the char array)
In MyFaces we are very performance "sensitiv" ;)
WDYT @pnicolucci @ebreijo ?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695953#comment-16695953
]
ASF GitHub Bot commented on MYFACES-4266:
-
tandraschko commented on issue #27: MYFACES-4266: Ajax update fails due to
invalid characters in response XML (DoS)
URL: https://github.com/apache/myfaces/pull/27#issuecomment-441049008
thanks, really appreciate new contributors!
i just wonder if we could implement it without always creating a new String?
In MyFaces we are very performance "sensitiv" ;)
WDYT @pnicolucci @ebreijo ?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695940#comment-16695940
]
Werner Punz commented on MYFACES-4266:
--
@tandraschko, how do you wanna address this?
I guess a server side filter is a safer bet.
Basically the client code just gets the cdata out and uses innerHTML to push
the update in.
I could prefilter the cdata for illegal chars on the client as well, but I am
not sure if this is the proper way to go here.
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (MYFACES-4266) Ajax update fails due to invalid characters in response XML (DoS)
[
https://issues.apache.org/jira/browse/MYFACES-4266?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16695920#comment-16695920
]
ASF GitHub Bot commented on MYFACES-4266:
-
cnsgithub opened a new pull request #27: fixes
https://issues.apache.org/jira/browse/MYFACES-4266
URL: https://github.com/apache/myfaces/pull/27
Fixes
- https://issues.apache.org/jira/browse/MYFACES-4266
Related to
- https://github.com/primefaces/primefaces/issues/3875
@tandraschko Could you please check that?
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Ajax update fails due to invalid characters in response XML (DoS)
> -
>
> Key: MYFACES-4266
> URL: https://issues.apache.org/jira/browse/MYFACES-4266
> Project: MyFaces Core
> Issue Type: Bug
>Affects Versions: 2.3.2
> Environment: jetty 9.4.14.v20181114
> JDK 10
>Reporter: cnsgithub
>Priority: Major
>
> I noticed that the {{}} update fails when the updated form contains
> unicode characters, which are not allowed in the [XML 1.0
> spec|https://www.w3.org/TR/REC-xml/#charsets].
> h2. Expected Behaviour
> If the update response contains characters that are not allowed in XML, they
> should be filtered by MyFaces before writing the response.
> h2. Actual Behaviour
> Some illegal XML characters are not filtered and therefore the browser fails
> to parse the response.
> h2. Steps to reproduce
> I created a small github project to reproduce this behaviour:
> [https://github.com/cnsgithub/mojarra-ajax/tree/myfaces] (branch myfaces)
> To reproduce:
> - {{git clone [https://github.com/cnsgithub/mojarra-ajax]}}
> - {{git checkout myfaces}}
> - run {{mvn clean package jetty:run}}
> - after the server has started, open [http://localhost:8080/index.xhtml]
> - Click the button, the error should occur
> The issue also occurs with user supplied inputs:
> - open [http://localhost:8080/input.xhtml]
> - Paste the characters from the {{illegal-xml-chars.txt}} file into the
> input field
> - Click the button
> This issue should be addressed with high priority since it is security
> related (might be exploited for Denial of Service).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
