[jbossseam-issues] [JBoss JIRA] Closed: (JBSEAM-2492) Fix the injection-vulnerable order parameter in seam-gen applications
Norman Richards (JIRA)
jira-events at lists.jboss.org
Wed Feb 6 00:24:03 EST 2008
[ http://jira.jboss.com/jira/browse/JBSEAM-2492?page=all ]
Norman Richards closed JBSEAM-2492.
-----------------------------------
Resolution: Done
Fixing in 2.1 only. The 2.0 fix of sanitizing the setOrder() remains valid. For 2.1, the sanitization is gone and new safe orderColumn and orderDirection attributes are available on queries. seam-gen has been updated to only use these safe properties. The order property should only be set in code or in components.xml configuration.
The only potential issue is 2.0 generated seam-gen applications being migrated to 2.1. A note in the migration guide should be sufficient.
> Fix the injection-vulnerable order parameter in seam-gen applications
> ---------------------------------------------------------------------
>
> Key: JBSEAM-2492
> URL: http://jira.jboss.com/jira/browse/JBSEAM-2492
> Project: JBoss Seam
> Issue Type: Bug
> Components: Tools, Framework
> Reporter: Norman Richards
> Assigned To: Norman Richards
> Priority: Critical
> Fix For: 2.1.0.GA
>
>
> We need to rework this code so that the parameter checks can be removed from the Query class.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the seam-issues
mailing list