[JAVASERVERFACES_SPEC_PUBLIC-1112] Security bug with FacesContext in application startup Created: 01/Jun/12 Updated: 13/Aug/14
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
Regarding the FacesContext that is available during application initialization, we need some language in the spec about how it is cleaned up. Otherwise, it can leak into the initialization thread of another application and allow one WAR to see the context of another WAR.
Also, we need some language saying that FacesContext.getCurrentInstance() should always return null except when:
See http://java.net/jira/browse/JAVASERVERFACES-2436 for full details and an application that recreates the issues.
|Comment by Ed Burns [ 01/Aug/14 ]|
Set priority to baseline ahead of JSF 2.3 triage. Priorities will be assigned accurately after this exercise.