wicket-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sven Meier (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (WICKET-6144) Wicket-ajax parameter / header may be used to bypass proper exception handling
Date Tue, 19 Apr 2016 21:22:25 GMT

     [ https://issues.apache.org/jira/browse/WICKET-6144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Sven Meier updated WICKET-6144:
-------------------------------
    Affects Version/s: 8.0.0-M1
                       7.2.0
             Priority: Minor  (was: Major)
        Fix Version/s: 6.23.0
                       8.0.0-M1
                       7.3.0
           Issue Type: Improvement  (was: Bug)

> Wicket-ajax parameter / header may be used to bypass proper exception handling
> ------------------------------------------------------------------------------
>
>                 Key: WICKET-6144
>                 URL: https://issues.apache.org/jira/browse/WICKET-6144
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 7.2.0, 8.0.0-M1, 6.22.0
>            Reporter: Christian Oldiges
>            Assignee: Sven Meier
>            Priority: Minor
>             Fix For: 7.3.0, 8.0.0-M1, 6.23.0
>
>
> WebRequest.isAjax() throws an exception if any value that cannot be properly decoded
into a Boolean is used either for the "wicket-ajax" request parameter or the "Wicket-Ajax"
request header.
> Example: http://localhost:8080/wicketapp/?wicket-ajax=sdfgs results ins
> {code}
> org.apache.wicket.util.string.StringValueConversionException: Boolean value "sdfgs" not
recognized
> 	at org.apache.wicket.util.string.Strings.isTrue(Strings.java:623)
> 	at org.apache.wicket.request.http.WebRequest.isAjax(WebRequest.java:117)
> 	at org.apache.wicket.markup.html.WebPage.dirty(WebPage.java:327)
> 	at org.apache.wicket.Page.dirty(Page.java:248)
> 	at org.apache.wicket.Page.componentStateChanging(Page.java:937)
> 	at org.apache.wicket.Component.addStateChange(Component.java:3512)
> 	at org.apache.wicket.Behaviors.add(Behaviors.java:55)
> 	at org.apache.wicket.Component.add(Component.java:4506)
> {code}
> WebRequest.isAjax() is called for dirty-flag handling when a component is added to a
page. So any useful wicket page triggers a call to this method which is also true for most
error handling page that get initialized during exception handling e.g. in RequestCycleListener.onException().
> So, using a very simple attack URL may bypass the intended wicket exception handling
code.
> A possible fix in WebRequest:
> {code}
> public boolean isAjax()
> {
> 	return Strings.isTrue(getHeader(HEADER_AJAX)) || Strings.isTrue(getRequestParameters().getParameterValue(PARAM_AJAX).toString());
> }
> {code}
> becomes
> {code}
> public boolean isAjax()
> {
>   try {
>     return Strings.isTrue(getHeader(HEADER_AJAX)) || Strings.isTrue(getRequestParameters().getParameterValue(PARAM_AJAX).toString());
>   } catch (Exception e) {
>     // add some logging here!
>     return false;
>   }
> }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message