[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
Re: [faces-dev] Client Window ID Issue
|
Perfect. Licenses always feel like a potential landmine. :)
I've updated the PR as requested.
Thanks!
On 12/12/23 7:57 AM, Arjan Tijms wrote:
Hi,
While licenses are always a concern, it looks like Mojarra
already incorporates a few files with this license.
Kind regards,
Arjan Tijms
Concerns over how Mojarra generates its client window ID
were recently brought to my attention. While the spec
appears to be silent on the issue, Mojarra uses the
session ID to build the ID, and MyFaces uses a secure
random. The use of the session ID is of concern to the
reporter here, as that can contribute to session hijacking
attacks, at least in theory. While there ways to mitigate
or reduce those chances, I'd like to eliminate then
altogether.
I have filed an issue (https://github.com/eclipse-ee4j/mojarra/issues/5375)
and put up a PR (https://github.com/eclipse-ee4j/mojarra/pull/5376).
While I know the PR will be seen eventually, I bring it up
here to highlight that I copied (copyright and all, of
course), the TokenGenerator class that MyFaces uses. If
that (or the license, etc) is an issue, please let me know
and I'll work on another implementation. Since there was
an existing open source one with what I _think_ is a
compatible license, I saw no reason for the exercise (I
actually used a potentially naive UUID-based impl to test
with originally). I hope I wasn't wrong. :)
_______________________________________________
faces-dev mailing list
faces-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/faces-dev