[JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs
by David Jorm (JIRA)
[ https://issues.jboss.org/browse/JBSEAM-5130?page=com.atlassian.jira.plugi... ]
David Jorm commented on JBSEAM-5130:
------------------------------------
Thanks Marek, the nightly build looks good. I guess we should just mark this bug as resolved once the next release ships, incorporating the updated docs.
> Add security warning to seam logging docs
> -----------------------------------------
>
> Key: JBSEAM-5130
> URL: https://issues.jboss.org/browse/JBSEAM-5130
> Project: Seam 2
> Issue Type: Bug
> Components: Documentation Issues
> Affects Versions: 2.2.2.Final, 2.3.0.Final, 2.3.1.Final
> Reporter: David Jorm
> Priority: Critical
>
> It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages.
> This needs to be addressed in all seam docs as a priority:
> http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
> http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
> http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254
> I suggest adding a big red warning admonition such as:
> Title:
> SECURITY WARNING: Do not use string concatenation to construct log messages
> Body:
> Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-5002) Components included with ui:include src="#{pageScopedViewId} broken
by Marek Novotny (JIRA)
[ https://issues.jboss.org/browse/JBSEAM-5002?page=com.atlassian.jira.plugi... ]
Marek Novotny commented on JBSEAM-5002:
---------------------------------------
It seems that JSF 2.1.19 fixed this issue
> Components included with ui:include src="#{pageScopedViewId} broken
> -------------------------------------------------------------------
>
> Key: JBSEAM-5002
> URL: https://issues.jboss.org/browse/JBSEAM-5002
> Project: Seam 2
> Issue Type: Bug
> Components: JSF Integration
> Affects Versions: 2.3.0.BETA2, 2.3.0.Final
> Environment: JBoss AS 7.1.2, Seam 2.3.0.CR1-SNAPSHOT (r14986)
> Reporter: Marek Schmidt
> Assignee: Marek Novotny
> Fix For: 2.3.2.CR1
>
> Attachments: JBSEAM-5002.ear, JBSEAM-5002.tar.gz
>
>
> The following scenario that used to work in AS5/Seam2.2 doesn't work anymore in AS7/Seam2.3 for page-scoped and conversation-scoped "viewId" components:
> index.xhtml:
> {code}
> <h:form>
> <h:commandButton action="#{viewId.component1}" value="Component 1" />
> <h:commandButton action="#{viewId.component2}" value="Component 2" />
> </h:form>
>
> <ui:include src="#{viewId.viewId}"/>
> {code}
> {code}
> @Scope(ScopeType.PAGE)
> @Name("viewId")
> public class ViewIdComponent implements Serializable
> {
> private String viewId = "/component1.xhtml";
>
> public void setViewId(String viewId) {
> this.viewId = viewId;
> }
>
> public String getViewId() {
> return viewId;
> }
>
> public void component1() {
> setViewId("/component1.xhtml");
> }
>
> public void component2() {
> setViewId("/component2.xhtml");
> }
> }
> {code}
> (compoent1 and 2 are redacted, contain a simple form)
> Only the first component works properly, actions in "component2" doesn't seem to be called after switching to "Component 2".
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-5131) Seam ExcelExporter
by Bobby Lawrence (JIRA)
[ https://issues.jboss.org/browse/JBSEAM-5131?page=com.atlassian.jira.plugi... ]
Bobby Lawrence commented on JBSEAM-5131:
----------------------------------------
It might also help if the "processOutputs" method and some of the others like "processColumn" were protected instead of private so that the class could be extended and implementations could provide enhanced functionality
> Seam ExcelExporter
> ------------------
>
> Key: JBSEAM-5131
> URL: https://issues.jboss.org/browse/JBSEAM-5131
> Project: Seam 2
> Issue Type: Bug
> Components: Excel
> Affects Versions: 2.3.0.Final
> Reporter: Bobby Lawrence
> Priority: Minor
>
> The org.jboss.seam.excel.exporter.ExcelExporter component is great, but it doesn't apply converters to objects is puts into Excel spreadsheet cells.
> The "processOutputs" method simply sets the value of the UIOutput in the cell via:
> cell.setValue(output.getValue());
> It would be much more helpful if it called any converter on the output before something like:
> Object outputValue = output.getValue();
> Converter converter = output.getConverter();
> if (converter != null){
> outputValue = converter.getAsString(
> FacesContext.getCurrentInstance(), output, outputValue);
> }
> cell.setValue(outputValue);
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-5131) Seam ExcelExporter
by Bobby Lawrence (JIRA)
Bobby Lawrence created JBSEAM-5131:
--------------------------------------
Summary: Seam ExcelExporter
Key: JBSEAM-5131
URL: https://issues.jboss.org/browse/JBSEAM-5131
Project: Seam 2
Issue Type: Bug
Components: Excel
Affects Versions: 2.3.0.Final
Reporter: Bobby Lawrence
Priority: Minor
The org.jboss.seam.excel.exporter.ExcelExporter component is great, but it doesn't apply converters to objects is puts into Excel spreadsheet cells.
The "processOutputs" method simply sets the value of the UIOutput in the cell via:
cell.setValue(output.getValue());
It would be much more helpful if it called any converter on the output before something like:
Object outputValue = output.getValue();
Converter converter = output.getConverter();
if (converter != null){
outputValue = converter.getAsString(
FacesContext.getCurrentInstance(), output, outputValue);
}
cell.setValue(outputValue);
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs
by Marek Novotny (JIRA)
[ https://issues.jboss.org/browse/JBSEAM-5130?page=com.atlassian.jira.plugi... ]
Marek Novotny commented on JBSEAM-5130:
---------------------------------------
just link to nightly build of Seam reference documentation is at https://jenkins.mw.lab.eng.bos.redhat.com/hudson/view/Seam%20Framework/jo...
> Add security warning to seam logging docs
> -----------------------------------------
>
> Key: JBSEAM-5130
> URL: https://issues.jboss.org/browse/JBSEAM-5130
> Project: Seam 2
> Issue Type: Bug
> Components: Documentation Issues
> Affects Versions: 2.2.2.Final, 2.3.0.Final, 2.3.1.Final
> Reporter: David Jorm
> Priority: Critical
>
> It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages.
> This needs to be addressed in all seam docs as a priority:
> http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
> http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
> http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254
> I suggest adding a big red warning admonition such as:
> Title:
> SECURITY WARNING: Do not use string concatenation to construct log messages
> Body:
> Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs
by Marek Novotny (JIRA)
[ https://issues.jboss.org/browse/JBSEAM-5130?page=com.atlassian.jira.plugi... ]
Marek Novotny commented on JBSEAM-5130:
---------------------------------------
I already added similar warning in relation to https://issues.jboss.org/browse/JBSEAM-5128
Commit is here https://github.com/seam2/jboss-seam/commit/14be4608bda294ec997fa112c7baff...
Wrt updating old released Seam documentation I am not really sure I will do that as we have there docs hardly joined with existing released tags and they are immutable. Seam users which downloaded old Seam distributions still have got the documentation without warning and after editing also different from the on-line Seam documentation :(
> Add security warning to seam logging docs
> -----------------------------------------
>
> Key: JBSEAM-5130
> URL: https://issues.jboss.org/browse/JBSEAM-5130
> Project: Seam 2
> Issue Type: Bug
> Components: Documentation Issues
> Affects Versions: 2.2.2.Final, 2.3.0.Final, 2.3.1.Final
> Reporter: David Jorm
> Priority: Critical
>
> It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages.
> This needs to be addressed in all seam docs as a priority:
> http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
> http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
> http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254
> I suggest adding a big red warning admonition such as:
> Title:
> SECURITY WARNING: Do not use string concatenation to construct log messages
> Body:
> Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-5130) Add security warning to seam logging docs
by David Jorm (JIRA)
David Jorm created JBSEAM-5130:
----------------------------------
Summary: Add security warning to seam logging docs
Key: JBSEAM-5130
URL: https://issues.jboss.org/browse/JBSEAM-5130
Project: Seam 2
Issue Type: Bug
Components: Documentation Issues
Affects Versions: 2.3.1.Final, 2.3.0.Final, 2.2.2.Final
Reporter: David Jorm
Priority: Critical
It has been reported that seam parses expression language (EL) statements in log messages. This is safe if used as intended - all user-provided input is supposed to be bound to a variable in the EL, conceptually similar to bound parameters in SQL. If an application did not use the Seam logging facility as intended, and included user-provided strings in log messages directly via string concatenation, then a remote attacker could use this flaw to execute arbitrary code in the context of the application server. The documentation does not highlight this issue at all, and it seems to be highly likely that some seam-based application developers would have used string concatenation with user-provided strings in log messages.
This needs to be addressed in all seam docs as a priority:
http://docs.jboss.org/seam/2.3.1.Final/reference/html_single/#d0e4185
http://docs.jboss.org/seam/2.3.0.Final/reference/en-US/html_single/#d0e4185
http://docs.jboss.org/seam/2.2.2.Final/reference/en-US/html_single/#d0e4254
I suggest adding a big red warning admonition such as:
Title:
SECURITY WARNING: Do not use string concatenation to construct log messages
Body:
Seam logging evaluates expression language (EL) statements in log messages. This is safe if used as intended, because all user-provided input is bound to a parameter in the EL statement. If an application does not use the Seam logging facility as intended, and includes user-provided strings in log messages directly via string concatenation, then a remote attacker could inject EL statements directly into the log messages, which would be evaluated on the server. This could lead to a variety of security impacts. To protect against this issue, ensure that all user-provided input in log messages is bound to a parameter, and not included directly in log messages using string concatenation.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month
[JBoss JIRA] (JBSEAM-3110) Seam example testing leaves various artifacts behind and does not clean up with "ant clean"
by Marek Novotny (JIRA)
[ https://issues.jboss.org/browse/JBSEAM-3110?page=com.atlassian.jira.plugi... ]
Marek Novotny closed JBSEAM-3110.
---------------------------------
Resolution: Out of Date
> Seam example testing leaves various artifacts behind and does not clean up with "ant clean"
> -------------------------------------------------------------------------------------------
>
> Key: JBSEAM-3110
> URL: https://issues.jboss.org/browse/JBSEAM-3110
> Project: Seam 2
> Issue Type: Task
> Components: Build, Examples
> Affects Versions: 2.0.3.CR1, 2.1.0.A1
> Reporter: Jay Balunas
> Priority: Minor
>
> Several of the examples create extra directories, and files. These files are not cleaned up buy running "ant clean" in the example or "ant cleanall" in seam.
> To find them run "ant testall testreport" - for example dvdindexes, blog indexes, and other log files. Perhaps the clean for the example or the cleanall should be changed. This clean up will be much easier if the location of these files were not based on relative location of where the build was started.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
11 years, 1 month