[richfaces-issues] [JBoss JIRA] (RF-13358) rich:panelMenuGroup allowing actions executions even if originally disabled
Juraj Húska (JIRA)
issues at jboss.org
Fri Jan 10 11:33:32 EST 2014
[ https://issues.jboss.org/browse/RF-13358?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12935079#comment-12935079 ]
Juraj Húska commented on RF-13358:
----------------------------------
The problem is that test verifying this issue is false positive.
Explanation:
For example test {{test_disabled_menu_group}}, [here|https://github.com/richfaces/richfaces/blob/master/framework/src/test/integration/org/richfaces/ui/toggle/panelMenu/ITPanelMenu.java#L122], is trying to:
* click on the group to collapse it
* verifying whether an ajax request changed the state of the bean bound to the group {{action}} param.
However, there is no Ajax request made, and at the same time the group is collapsed even when it is disabled (tampered with the script executed after the page load). Therefore, test wrongly expect that the group is still disabled.
It is weird, because in one hand the group is not making Ajax request when clicked (I guess because of some client check), and on the other hand it is expanded/collapsed.
I tried to make the test to be more deterministic with use of Page Fragments, but their implementation does not count with such bug. I will try further if you agree.
Can I do something more ?
> rich:panelMenuGroup allowing actions executions even if originally disabled
> ---------------------------------------------------------------------------
>
> Key: RF-13358
> URL: https://issues.jboss.org/browse/RF-13358
> Project: RichFaces
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: component-menu
> Affects Versions: 4.3.4
> Environment: Linux, AS 7.1.1 Brontes, FF 25 with FireBug addOn
> Reporter: Pavel Slegr
> Assignee: Brian Leathem
> Priority: Critical
> Labels: needs-qe
> Fix For: 4.3.5, 4.5.0.Alpha2, 5.0.0.Alpha3
>
> Original Estimate: 1 hour
> Remaining Estimate: 1 hour
>
> related to https://issues.jboss.org/browse/RF-12813
> This can be possibly a security hole, as the second component piece is discovered to allow tampering actions through JS.
> I suggest to try out on other components as well !!!
> with following example
> {code}
> {
> <rich:panelMenuGroup id="group4" label="Group 4" expanded="false">
> <rich:panelMenuItem id="item41" label="Item 4.1" />
> <rich:panelMenuItem id="item42" label="Item 4.2" disabled="true" />
> <rich:panelMenuGroup id="group43" label="Group 4.1" disabled="true">
> <rich:panelMenuItem id="item431" label="Item 4.1.1" />
> </rich:panelMenuGroup>
> </rich:panelMenuGroup>
> }
> {code}
> the group43 element is intended to be disabled and thus not allowing any actions execution on it
> Once tampered with
> {code}
> {
> new RichFaces.ui.PanelMenuGroup("f:group43",{"collapseEvent":"click","unselectable":false,"selectable":false,"name":"group43","ajax":{"incId":"1"} ,"stylePrefix":"rf\u002Dpm\u002Dgr","expanded":false,"expandEvent":"click","disabled":false,"mode":"client"} )
> }
> {code}
> It is possible to expand the group and execute further actions on its children elements
> NOTE: to verify this in RF 4.5 the JS function is: _new RichFaces.rf4.ui....._
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the richfaces-issues
mailing list