Multiple Path Traversal security issues

[aphtrinh]

There are a couple places that allow manipulating resource requests to disclose arbitrary files under application context. These are tested with Mojarra 2.3.9 and works under default configuration.

1. Resource contracts
   WebappResourceHelper.findPathConsideringContracts(). Under a branch condition, contract name is fetched from an http parameter and doesn't go through any filtering. The resource base path is later concatenated from it and can be abused to return unwanted resource like '/contracts/../WEB-INF/web.xml'. Another place that has the same vulnerable code is ClasspathResourceHelper.findPathConsideringContracts().

2. Locale prefix
   The patch for https://github.com/javaserverfaces/mojarra/issues/4364 is incomplete. localePrefix after the check still contains tainted data and if the application doesn't declare 'javax.faces.resource.localePrefix' in a resource bundle, the application still continues to return that tainted input.

[github-actions]

This issue is marked as stale because there was no activity on it for the last 2 years. Remove stale label or comment or this will be closed in 30 days