Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-3390

Field value from previous request is recycled when field is absent in new request

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • 2.4
    • 2.4
    • JAX-RS
    • None

    Description

      This was tested against 2.3.1 and HEAD.

      Consider this class:

      @Path("/test")
      public class Test {
        @QueryParam("q") private String q;
      
        @GET
        public void test() {
          System.err.println(q);
        }
      }
      

      Now consider this test case:

      $ curl http://localhost:8080/test       # prints "null"
      $ curl http://localhost:8080/test?q=foo # prints "foo"
      $ curl http://localhost:8080/test       # prints "foo" !
      

      This is a serious bug because it leaks information. It's not specific to @QueryParam, the other annotations have the same problem.

      I discovered it in a resource that is used for authentication: after logging in once, I could log in again without providing a username and password!

      Attachments

        Activity

          People

            sergey_beryozkin Sergey Beryozkin
            bnoordhuis Ben Noordhuis
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: