wicket-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Grigorov <mgrigo...@apache.org>
Subject Re: Restrict wicket/bookmarkable
Date Thu, 05 May 2016 06:38:26 GMT
Hi Ilia,

Please create a ticket so we don't forget it!
Thanks!

Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov

On Wed, May 4, 2016 at 7:32 PM, Илья Нарыжный <phantom@ydn.ru> wrote:

> For now I just removed BookmarkableMapper. Everything works. But it seems
> to me that some cases might go wrong... And as side effect: hrefs just
> empty to pages without mounts. Probably I would expect some other behavior
> if url can't be resolved for a page.
>
> Thanks,
>
> Ilia
> On May 4, 2016 6:54 AM, "Martin Grigorov" <mgrigorov@apache.org> wrote:
>
> > On Wed, May 4, 2016 at 3:27 PM, Sven Meier <sven@meiers.net> wrote:
> >
> > > Hi,
> > >
> > > well, it seems I wasn't completely out of my mind when I pushed for
> > > WICKET-5094:
> > > - I've checked 1.4 and the logic of #enforceMounts was exactly like it
> is
> > > now
> > > - the javadoc for #setEnforceMounts() matches the current behavior:
> > >
> > > "Sets whether mounts should be enforced. If true, requests for mounted
> > > targets have to done through the mounted paths. If, for instance, a
> > > bookmarkable page is mounted to a path, a request to that same page via
> > the
> > > bookmarkablePage parameter will be denied."
> > >
> > > For those trying to prevent any requests to non-mounted pages: Couldn't
> > > you just remove the BookmarkableMapper?
> > >
> > >         ICompoundRequestMapper mappers =
> > getRootRequestMapperAsCompound();
> > >         mappers.forEach((mapper) -> {if (mapper instanceof
> > > BookmarkableMapper) mappers.remove(mapper); });
> > >
> > > Personally I wouldn't mind to change/remove/rename this setting for
> > Wicket
> > > 8.x, so it is more useful.
> > >
> >
> > +1 to change the behavior to what it was after WICKET-3849 and before
> > WICKET-5094
> >
> >
> > >
> > > Have fun
> > > Sven
> > >
> > >
> > >
> > > On 04.05.2016 08:23, Martin Grigorov wrote:
> > >
> > >> Hi,
> > >>
> > >> I also think the current behavior is not correct. See my question at
> > >> http://markmail.org/message/xmo74m3tbc5v4nwp.
> > >> I read the name of the method "enforceMounts" as "do not allow urls to
> > >> page
> > >> which are not explicitly mounted". I believe also this is the reason
> > this
> > >> method is in SecuritySettings, and not in PageSettings.
> > >> And its javadoc also says the same. That's why I've -reintroduced this
> > >> behavior with https://issues.apache.org/jira/browse/WICKET-3849.
> > >>
> > >> According to Sven the behavior in Wicket 1.4.x was different and he
> > >> changed
> > >> it with https://issues.apache.org/jira/browse/WICKET-5094.
> > >> IMO Wicket 1.4.x must had a bug but there is no one to confirm :-/
> > >>
> > >> Martin Grigorov
> > >> Wicket Training and Consulting
> > >> https://twitter.com/mtgrigorov
> > >>
> > >> On Wed, May 4, 2016 at 7:57 AM, Илья Нарыжный <phantom@ydn.ru>
wrote:
> > >>
> > >> Martin,
> > >>>
> > >>> Checked this issue:
> https://issues.apache.org/jira/browse/WICKET-5094
> > >>> Absolutely disagree with discussed behavior. It's meaningless to
> > >>> prevent accessing /wicket/bookmarkable/<CLASS> only if there
is mount
> > >>> point for that page.
> > >>> Please help to find consensus. In mine case it's real security hole.
> > >>>
> > >>> Thanks,
> > >>>
> > >>> Ilia
> > >>>
> > >>> 2016-05-03 22:50 GMT-07:00 Илья Нарыжный <phantom@ydn.ru>:
> > >>>
> > >>>> Martin,
> > >>>>
> > >>>> Just checked: it doesn't work as expected. It seems that this code
> > >>>> doesn't work as it was assumed:
> > >>>>
> > >>>> BookmarkableMapper.java
> > >>>> if (application.getSecuritySettings().getEnforceMounts())
> > >>>> {
> > >>>> // we make an exception if the homepage itself was mounted, see
> > >>>>
> > >>> WICKET-1898
> > >>>
> > >>>> if (!pageClass.equals(application.getHomePage()))
> > >>>> {
> > >>>> // WICKET-5094 only enforce mount if page is mounted
> > >>>> if (isPageMounted(pageClass,
> > >>>> application.getRootRequestMapperAsCompound()))    // HERE!!!
> > >>>> {
> > >>>> return null;
> > >>>> }
> > >>>> }
> > >>>> }
> > >>>>
> > >>>> Imho condition at line marked by HERE!!! should be opposite.
> > >>>> Please check.
> > >>>>
> > >>>> In my case getSecuritySettings().setEnforceMounts(true); doesn't
> have
> > >>>> any effect.
> > >>>>
> > >>>> Thanks,
> > >>>>
> > >>>> Ilia
> > >>>>
> > >>>> 2016-05-03 10:59 GMT-07:00 Илья Нарыжный <phantom@ydn.ru>:
> > >>>>
> > >>>>> Thank you Martin! I did know that there should be easier way
to do
> > >>>>> that, but could not be able to find it:)
> > >>>>>
> > >>>>> Regards,
> > >>>>>
> > >>>>> Ilia
> > >>>>>
> > >>>>> 2016-05-03 0:06 GMT-07:00 Martin Grigorov <mgrigorov@apache.org>:
> > >>>>>
> > >>>>>> Hi,
> > >>>>>>
> > >>>>>> I always thought
> > >>>>>> that
> org.apache.wicket.settings.SecuritySettings#getEnforceMounts()
> > is
> > >>>>>>
> > >>>>> for
> > >>>
> > >>>> this. Also its javadoc seems to say that.
> > >>>>>> But there were some changes to its behavior after which
I am no
> more
> > >>>>>>
> > >>>>> sure
> > >>>
> > >>>> what exactly it does :-/
> > >>>>>>
> > >>>>>> Martin Grigorov
> > >>>>>> Wicket Training and Consulting
> > >>>>>> https://twitter.com/mtgrigorov
> > >>>>>>
> > >>>>>> On Tue, May 3, 2016 at 8:53 AM, Илья Нарыжный
<phantom@ydn.ru>
> > wrote:
> > >>>>>>
> > >>>>>> Yea - that's possible. Even instrumentation is possible,
but
> > probably
> > >>>>>>> this problem somehow solved already in wicket. I would
briefly
> > >>>>>>> summarize the problem like:
> > >>>>>>>
> > >>>>>>> Wicket allow to directly address bookmarkable pages
from 3rd
> party
> > >>>>>>> libraries without good way to manage accessibility.
> > >>>>>>> Potentially it means that with having control over
some 3rd
> partly
> > >>>>>>> lib
> > >>>>>>> it's possible to include "backdoor page"
> > >>>>>>> Thanks,
> > >>>>>>>
> > >>>>>>> Ilia
> > >>>>>>>
> > >>>>>>>
> > ---------------------------------------------------------------------
> > >>>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > >>>>>>> For additional commands, e-mail: users-help@wicket.apache.org
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>
> > ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > >>> For additional commands, e-mail: users-help@wicket.apache.org
> > >>>
> > >>>
> > >>>
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> > > For additional commands, e-mail: users-help@wicket.apache.org
> > >
> > >
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message