6:09 a.m.
EntityQuery and ordering issue
------------------------------
Key: JBSEAM-3550
URL: https://jira.jboss.org/jira/browse/JBSEAM-3550
Project: Seam
Issue Type: Bug
Components: Core
Affects Versions: 2.1.0.CR1
Reporter: Jarek Gilewski
I cannot call
setOrderColumn("pi.payment.name"); // for joined tables
for EntityQuery.
I got
java.lang.IllegalArgumentException: invalid order column
at org.jboss.seam.framework.Query.sanitizeOrderColumn(Query.java:445)
at org.jboss.seam.framework.Query.setOrderColumn(Query.java:436)
I can see at Query.java that the column name is checked with pattern "\\w*$"
(ORDER_COLUMN_PATTERN) wich i guess don't allowe the dot in the order column name.
Can we chcenge the ORDER_COLUMN_PATTERN to allow ordering by related columns?
I think it should be something like this '^(\w+)(\.\w+)*$'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
6:51 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Updated: (JBSEAM-3550) EntityQuery and ordering issue
[
https://jira.jboss.org/jira/browse/JBSEAM-3550?page=com.atlassian.jira.pl...
]
Pete Muir updated JBSEAM-3550:
------------------------------
Fix Version/s: 2.1.0.GA
Assignee: Norman Richards
EntityQuery and ordering issue
------------------------------
Key: JBSEAM-3550
URL: https://jira.jboss.org/jira/browse/JBSEAM-3550
Project: Seam
Issue Type: Bug
Components: Core
Affects Versions: 2.1.0.CR1
Reporter: Jarek Gilewski
Assignee: Norman Richards
Fix For: 2.1.0.GA
I cannot call
setOrderColumn("pi.payment.name"); // for joined tables
for EntityQuery.
I got
java.lang.IllegalArgumentException: invalid order column
at org.jboss.seam.framework.Query.sanitizeOrderColumn(Query.java:445)
at org.jboss.seam.framework.Query.setOrderColumn(Query.java:436)
I can see at Query.java that the column name is checked with pattern "\\w*$"
(ORDER_COLUMN_PATTERN) wich i guess don't allowe the dot in the order column name.
Can we chcenge the ORDER_COLUMN_PATTERN to allow ordering by related columns?
I think it should be something like this '^(\w+)(\.\w+)*$'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
11:59 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-3550) EntityQuery and ordering issue
[
https://jira.jboss.org/jira/browse/JBSEAM-3550?page=com.atlassian.jira.pl...
]
Norman Richards closed JBSEAM-3550.
-----------------------------------
Resolution: Done
This was implemented independently to this issue, so I'm marking it as done. I would
like to comment on a few issues with this, because we really need to exercise extreme
caution here.
First, when configuring the order in code or in XML, the order property can be used. This
should you full control over the order clause with no checking being done. Using the
orderColumn and orderDirection properties are for UI binding purposes. We have to impose
extremely strict constraints on this for security reasons.
I'm not even comfortable with the way things worked before the change because it
already has a very subtle vulnerability. The problem isn't just injection. Let's
say you have a user list and you expose order column the way it is in seam-gen. You want
to allow sorting by name, email etc..., but every person also has a salary column. (which
you have edited out of the seam-gen screen) If you bind orderColumn to the UI, the user
could sort the people based on salary, exposing information about people that you probably
don't want exposed.
I really don't like that. Allowing "." in the bindable order column field
increases the magnitude of the vulnerability, exposing even more fields to the
vulnerability. This can't be considered a good thing.
I don't have a solution for this short of requiring explicit configuration of each
sortable column value, either a white list of valid values or a mapping for names to query
strings. This would impose a bit of a burden on seam-gen, but it would be doable.
Comments?
EntityQuery and ordering issue
------------------------------
Key: JBSEAM-3550
URL: https://jira.jboss.org/jira/browse/JBSEAM-3550
Project: Seam
Issue Type: Bug
Components: Core
Affects Versions: 2.1.0.CR1
Reporter: Jarek Gilewski
Assignee: Norman Richards
Fix For: 2.1.0.GA
I cannot call
setOrderColumn("pi.payment.name"); // for joined tables
for EntityQuery.
I got
java.lang.IllegalArgumentException: invalid order column
at org.jboss.seam.framework.Query.sanitizeOrderColumn(Query.java:445)
at org.jboss.seam.framework.Query.setOrderColumn(Query.java:436)
I can see at Query.java that the column name is checked with pattern "\\w*$"
(ORDER_COLUMN_PATTERN) wich i guess don't allowe the dot in the order column name.
Can we chcenge the ORDER_COLUMN_PATTERN to allow ordering by related columns?
I think it should be something like this '^(\w+)(\.\w+)*$'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:25 a.m.
New subject: [jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-3550) EntityQuery and ordering issue
[
https://jira.jboss.org/jira/browse/JBSEAM-3550?page=com.atlassian.jira.pl...
]
Jarek Gilewski commented on JBSEAM-3550:
----------------------------------------
Hi,
Maybe we can add something like this
private static final String[] RESTRICTED_ORDER_COLUMNS = {
"name",
"email",
"issue.name"};
@Override
public List<String> getRestrictedOrderColumns() {
return Arrays.asList(RESTRICTIONS);
}
and use this array inside org.jboss.seam.framework.Query.sanitizeOrderColumn function ?
EntityQuery and ordering issue
------------------------------
Key: JBSEAM-3550
URL: https://jira.jboss.org/jira/browse/JBSEAM-3550
Project: Seam
Issue Type: Bug
Components: Core
Affects Versions: 2.1.0.CR1
Reporter: Jarek Gilewski
Assignee: Norman Richards
Fix For: 2.1.0.GA
I cannot call
setOrderColumn("pi.payment.name"); // for joined tables
for EntityQuery.
I got
java.lang.IllegalArgumentException: invalid order column
at org.jboss.seam.framework.Query.sanitizeOrderColumn(Query.java:445)
at org.jboss.seam.framework.Query.setOrderColumn(Query.java:436)
I can see at Query.java that the column name is checked with pattern "\\w*$"
(ORDER_COLUMN_PATTERN) wich i guess don't allowe the dot in the order column name.
Can we chcenge the ORDER_COLUMN_PATTERN to allow ordering by related columns?
I think it should be something like this '^(\w+)(\.\w+)*$'.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
5869
days inactive
5870
days old
3 comments
3 participants
participants (3)
-
Jarek Gilewski (JIRA) -
Norman Richards (JIRA)
-
Pete Muir (JIRA)