[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2492) Fix the injection-vulnerable order parameter in seam-gen applications
[ http://jira.jboss.com/jira/browse/JBSEAM-2492?page=all ]
Norman Richards closed JBSEAM-2492.
-----------------------------------
Resolution: Done
Fixing in 2.1 only. The 2.0 fix of sanitizing the setOrder() remains valid. For 2.1, the
sanitization is gone and new safe orderColumn and orderDirection attributes are available
on queries. seam-gen has been updated to only use these safe properties. The order
property should only be set in code or in components.xml configuration.
The only potential issue is 2.0 generated seam-gen applications being migrated to 2.1. A
note in the migration guide should be sufficient.
Fix the injection-vulnerable order parameter in seam-gen
applications
---------------------------------------------------------------------
Key: JBSEAM-2492
URL: http://jira.jboss.com/jira/browse/JBSEAM-2492
Project: JBoss Seam
Issue Type: Bug
Components: Tools, Framework
Reporter: Norman Richards
Assigned To: Norman Richards
Priority: Critical
Fix For: 2.1.0.GA
We need to rework this code so that the parameter checks can be removed from the Query
class.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira