Closed javaserverfaces closed 9 years ago
Reported by KrishnanGNV
@manfredriem said: Can you please send a reproducer (with sources) to issues@javaserverfaces.java.net? Thanks!
krishnangnv said: Below are the Source code in JSF implementation failing :
Issues in com.sun.faces.lifecycle.RestoreViewPhase method maybeTakeProtectedViewAction(... ) implementation
The above URL https://
private boolean originatesInWebapp(FacesContext context, String view, ViewDeclarationLanguage vdl) throws URISyntaxException
{ boolean isAbsoluteURI = view.matches("^[a-z]+://.*"); }
and subsequently the Port has been tried to match in the below code :
if (-1 == uri.getPort())
{ portsMatch = false; }
Either RegularExpression has to include presence of port or when uri.getPort returns -1 , Check need to be done whether JSF environment listens to Default port like 80/443.
Hope this provides a background to debug and fix the issue.
@manfredriem said: Can you please send a reproducer (a maven project with sources) to issues@javaserverfaces.java.net. I realize you can't give me the Apache part, but I would really like the web application, so I know for sure we are talking about the same thing. Thanks!
@manfredriem said: Lowering priority because of no response
@manfredriem said: Closing out because of no response
This issue was imported from java.net JIRA JAVASERVERFACES-3513
Marked as incomplete on Monday, February 23rd 2015, 6:49:10 am
The CSRF checks prevents the request when referrer URL has default ports (80/443).
When Webserver is integrated with Appserver , the referrer header values may also be with default ports e.g referer=http:///pages/home.xhtml
The current check for Ports ignores default ports and throws exception as if the request is forged . ref : src/main/java/com/sun/faces/lifecycle/RestoreViewPhase.java
Precondition: Configure the urls with tags.
Affected Versions
[2.2.6, 2.2.7, 2.2.8]