[richfaces-issues] [JBoss JIRA] (RF-13358) rich:panelMenuGroup allowing actions executions even if originally disabled

Pavol Pitonak (JIRA) issues at jboss.org
Mon Jan 6 07:03:33 EST 2014 

    [ https://issues.jboss.org/browse/RF-13358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12933768#comment-12933768 ] 

Pavol Pitonak commented on RF-13358:
------------------------------------

[~manovotn], please verify and remove needs-qe label if it's OK.
                
> rich:panelMenuGroup allowing actions executions even if originally disabled
> ---------------------------------------------------------------------------
>
>                 Key: RF-13358
>                 URL: https://issues.jboss.org/browse/RF-13358
>             Project: RichFaces
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) 
>          Components: component-menu
>    Affects Versions: 4.3.4
>         Environment: Linux, AS 7.1.1 Brontes, FF 25 with FireBug addOn
>            Reporter: Pavel Slegr
>            Assignee: Brian Leathem
>            Priority: Critical
>              Labels: needs-qe
>             Fix For: 4.3.5, 4.5.0.Alpha2, 5.0.0.Alpha3
>
>   Original Estimate: 1 hour
>  Remaining Estimate: 1 hour
>
> related to https://issues.jboss.org/browse/RF-12813
> This can be possibly a security hole, as the second component piece is discovered to allow tampering actions through JS.
> I suggest to try out on other components as well !!!
> with following example
> {code}
> {
>                 <rich:panelMenuGroup id="group4" label="Group 4" expanded="false">
>                     <rich:panelMenuItem id="item41" label="Item 4.1" />
>                     <rich:panelMenuItem id="item42" label="Item 4.2" disabled="true" />
>                     <rich:panelMenuGroup id="group43" label="Group 4.1" disabled="true">
>                         <rich:panelMenuItem id="item431" label="Item 4.1.1" />
>                     </rich:panelMenuGroup>
>                 </rich:panelMenuGroup>
> }
> {code}
> the group43 element is intended to be disabled and thus not allowing any actions execution on it
> Once tampered with 
> {code}
> {
> new RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":{"incId":"1"} ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":false,"mode":"client"} )
> }
> {code}
> It is possible to expand the group and execute further actions on its children elements

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the richfaces-issues mailing list