You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Jesse Bonzo (JIRA)" <ji...@apache.org> on 2015/09/02 18:11:45 UTC

[jira] [Comment Edited] (WICKET-5977) CryptoMapper does not encrypt query parameters for BookmarkablePageLink

    [ https://issues.apache.org/jira/browse/WICKET-5977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14727560#comment-14727560 ] 

Jesse Bonzo edited comment on WICKET-5977 at 9/2/15 4:11 PM:
-------------------------------------------------------------

I don't see a setting to encrypt BPL. In CryptoMapper I see only this conditional to decide to encrypt the entire url:
{{if (url.getSegments().size() > 0 && url.getSegments().get(0).equals(getContext().getNamespace()))}}

Our fix is to override CryptoMapper.encryptUrl and call encryptEntireUrl unconditionally. That exposes us to whatever issue the conditional is trying to fix though.


was (Author: vitiate):
I don't see a setting to encrypt BPL. In CryptoMapper I see only this conditional to decide to encrypt the entire url:
{{if (url.getSegments().size() > 0 && url.getSegments().get(0).equals(getContext().getNamespace()))}}

Our fix is to override CryptoMapper.encryptUrl and call encryptEntireUrl unconditionally. 

> CryptoMapper does not encrypt query parameters for BookmarkablePageLink
> -----------------------------------------------------------------------
>
>                 Key: WICKET-5977
>                 URL: https://issues.apache.org/jira/browse/WICKET-5977
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 6.18.0
>         Environment: Windows 7 x64
>            Reporter: Jesse Bonzo
>            Priority: Minor
>              Labels: bookmarkable, link, security
>         Attachments: WicketCryptoTest.zip
>
>
> In 6.17, mounting with CryptoMapper resulted in an encrypted url when page parameters are passed to a BookmarkablePageLink.
> eg
> <a wicket:id="testPageLink" href="./Test?test1=testing">Test Page Link</a>
> became
> <a wicket:id="testPageLink" href="./WJv23oU4t3ZeiLLpNT81ezNvA-L53GFM/WJvf2">Test Page Link</a>
> In 6.18+ the link stays as is.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)