[richfaces-issues] [JBoss JIRA] Resolved: (RF-3586) URLs of resources are not predictable
Nick Belaevski (JIRA)
jira-events at lists.jboss.org
Wed Jul 30 12:29:26 EDT 2008
[ https://jira.jboss.org/jira/browse/RF-3586?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Nick Belaevski resolved RF-3586.
--------------------------------
Resolution: Done
Assignee: Tsikhon Kuprevich (was: Nick Belaevski)
> URLs of resources are not predictable
> -------------------------------------
>
> Key: RF-3586
> URL: https://jira.jboss.org/jira/browse/RF-3586
> Project: RichFaces
> Issue Type: Bug
> Affects Versions: 3.1.4, 3.1.5, 3.2.0
> Reporter: Olivier Martin
> Assignee: Tsikhon Kuprevich
> Fix For: 3.2.2
>
>
> The way RichFaces generates URLs for the scripts and styles is incompatible with security restrictions in a corporate world.
> When applications are deployed in production, the list of the URLs it uses has to be known : the Firewalls are configured with this "white-list" and a "black-list" forbidding URLs with ".." characters.
> For instance the following URL has several problems :
> a4j_3_1_5.GAcss/table.xcss/DATB/eAF7P..bLgAIQwM..faces
> * The prefix "a4j_3_1_5.GA" can be configured, but usually the projects don't bother to do it, thus this part is gonna change with each RichFaces release
> * The part "eAF7P..bLgAIQwM." is unpredictable, it depends on the value of the object SkinImpl.hashcode() ?!!
> * The part "eAF7P..bLgAIQwM." contains ".."' characters
> Overall we had to bypass the usual security restrictions to put an application in production, this is unacceptable.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list