There are multiple instance in the PartialViewContext.processAjaxExecutePhase(FacesContext) method where user supplied input is used as (part of) the expression of a MethodExpression:
- request parameter
_of_action (local variable action) is used in lines 546–556:
if (action != null) {
MethodExpression methodBinding;
if (!action.startsWith("#{")){
methodBinding = context.getApplication().getExpressionFactory().createMethodExpression(
elContext, "#{" + action + "}", String.class, new Class[]{});
}else{
methodBinding = context.getApplication().getExpressionFactory().createMethodExpression(
elContext, action, String.class, new Class[]{});
}
methodBinding.invoke(elContext, null);
}
- request parameter
_of_actionListener (local variable listener) is used in lines 557–585:
if (listener != null) {
AjaxActionEvent event = new AjaxActionEvent(component, new Behavior() {
public void broadcast(BehaviorEvent event) {
throw new UnsupportedOperationException("This method is not expected to be invoked.");
}
});
event.setPhaseId(Boolean.valueOf(requestParams.get(PARAM_IMMEDIATE)) ? PhaseId.APPLY_REQUEST_VALUES : PhaseId.INVOKE_APPLICATION);
MethodExpression methodExpression = context.getApplication().getExpressionFactory().createMethodExpression(
elContext, "#{" + listener + "}", void.class, new Class[]{AjaxBehaviorEvent.class});
try {
methodExpression.getMethodInfo(elContext);
} catch (MethodNotFoundException e1) {
// both actionEvent and AjaxActionEvent parameter declarations are allowed
methodExpression = context.getApplication().getExpressionFactory().createMethodExpression(
elContext, "#{" + listener + "}", void.class, new Class[]{AjaxActionEvent.class});
try {
methodExpression.getMethodInfo(elContext);
} catch (MethodNotFoundException e2) {
Log.log("Couldn't find Ajax action handler method. Method expression: #{" + listener + "} . " +
"Note, the appropriate method should receive one parameter of either javax.faces.event.AjaxBehaviorEvent or " +
"org.openfaces.event.AjaxActionEvent type.", e2);
throw e2;
}
}
methodExpression.invoke(elContext, new Object[]{event});
Object listenerResult = event.getAjaxResult();
if (listenerResult != null)
result = listenerResult;
}
Arbitrary EL evaluation can result in the execution of arbitrary code on the application server.
There are multiple instance in the
PartialViewContext.processAjaxExecutePhase(FacesContext)method where user supplied input is used as (part of) the expression of a MethodExpression:_of_action(local variableaction) is used in lines 546–556:_of_actionListener(local variablelistener) is used in lines 557–585:Arbitrary EL evaluation can result in the execution of arbitrary code on the application server.