[MYFACES-4266] Ajax update fails due to invalid characters in response XML (DoS) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.2
Fix Version/s: 2.2.13, 2.3.3, 2.3-next-M1
Component/s: None
Labels:
None
Environment:
jetty 9.4.14.v20181114
JDK 10

Description

I noticed that the <f:ajax /> update fails when the updated form contains unicode characters, which are not allowed in the XML 1.0 spec.

Expected Behaviour

If the update response contains characters that are not allowed in XML, they should be filtered by MyFaces before writing the response.

Actual Behaviour

Some illegal XML characters are not filtered and therefore the browser fails to parse the response.

Steps to reproduce

I created a small github project to reproduce this behaviour: https://github.com/cnsgithub/mojarra-ajax/tree/myfaces (branch myfaces)
To reproduce:

git clone https://github.com/cnsgithub/mojarra-ajax
git checkout myfaces
run mvn clean package jetty:run
after the server has started, open http://localhost:8080/index.xhtml
Click the button, the error should occur

The issue also occurs with user supplied inputs:

open http://localhost:8080/input.xhtml
Paste the characters from the illegal-xml-chars.txt file into the input field
Click the button

This issue should be addressed with high priority since it is security related (might be exploited for Denial of Service).

Attachments

Issue Links

links to

GitHub Pull Request #27

Activity

People

Assignee:: Unassigned

Reporter:: cnsgithub

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Nov/18 08:28

Updated:: 24/Jan/19 14:56

Resolved:: 27/Nov/18 08:50