Former post form values are now get values #6963
Replies: 1 comment 12 replies
-
The PR that updates the task list is not merged yet into main. After PR #6906 is merged, the task list will have the same query parameters.
Yes. Previously, these parameters were managed in the user's session via @SessionScoped beans. While refactoring them to @ViewScoped, see #6456, I implemented the change to URL query parameters, which I believe to be a significant advantage, because now URLs fully represent the view state and can be shared amongst users, e.g. by eMail, or stored as a bookmark. I can imagine that this opens up interesting new use-cases, e.g., sending a link to the process list with a pre-defined filter to a colleague asking for assistance with regards to these processes.
Yes, URL query parameters are sanitized where appropriate. For example, the All of the URL query parameters are only controlling how information is queried from the database. There should not be any way to exploit this.
Well. I wouldn't call it "secured". They were hidden from non-expert users. A user may manipulate any of his own post requests before sending it to the server. From this perspective, the "attack surface" should be the same as before. There is one exception I am not entirely happy with. The parameter "referrerListOptions" is an easy way to remember query parameters while navigating between views (to avoid additional concepts like the Flash API). However, I think that URLs should not contain technical information like that, which have no immediate benefit for the user. In this case, it would make sense to hide this information again from users. Since there is already another exception which requires @SessionScoped state (preserving the previous filter query) , I guess it might makes sense to move this parameter into session state again in the future. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
I notices that in the most recent versions of the main branch (4.0.x development) that many post form variables are now get parameters. Like
pages/processes?tab=processTab&filter="id%3A44394"pages/processes?filter="stepopen%3AOCR+durchführen"+&sortField=id&showInactiveProjects=false&firstRow=0&tab=processTab&showClosedProcesses=false&sortOrder=descpages/users?tab=usersTab&firstRow=200pages/importConfigurationEdit?referrerListOptions=firstRow%3D0%26filter%3D%26sortOrder%3Dasc%26sortField%3Dtitle&id=1pages/templateEdit?referrerListOptions=firstRow%3D0%26filter%3D%26sortOrder%3Dasc%26sortField%3Dtitle&id=4&duplicate=trueprojectEdit?referrer=projects&referrerListOptions=firstRow%3D0%26filter%3D%26sortOrder%3Dasc%26sortField%3Dtitle&id=3and many more.
But this did not happen on the task list page if I enter a search filter or so.
Before I open an issue / bug report I would ask before: Is this intended? I see there some risk if this parameters are so easily editable for any user and I don't know if checking for valid values for this parameters is executed so that the user can not exploit this in any way. Former post values was secured by the JSF mechanism.
@solth @thomaslow pinging both of you as you worked in the recent time on this.
Beta Was this translation helpful? Give feedback.
All reactions