You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2012/01/13 10:00:55 UTC
[1/2] git commit: WICKET-4196 Accessing Wicket through AJP makes
Wicket vulnerable to HTTP Response Splitting Attack
Updated Branches:
refs/heads/master e62cd40ba -> 2989237bf
WICKET-4196
Accessing Wicket through AJP makes Wicket vulnerable to HTTP Response Splitting Attack
Revert the changes.
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/2989237b
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/2989237b
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/2989237b
Branch: refs/heads/master
Commit: 2989237bf5da6486d7b4cfc87a2b08634dd3c5ab
Parents: 0e99d7c
Author: martin-g <mg...@apache.org>
Authored: Fri Jan 13 10:56:03 2012 +0200
Committer: martin-g <mg...@apache.org>
Committed: Fri Jan 13 10:56:03 2012 +0200
----------------------------------------------------------------------
.../protocol/http/servlet/ServletWebResponse.java | 23 ++------
.../http/servlet/ServletWebResponseTest.java | 43 ---------------
2 files changed, 5 insertions(+), 61 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/2989237b/wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java b/wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java
index 13416cf..27b52b1 100644
--- a/wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java
+++ b/wicket-core/src/main/java/org/apache/wicket/protocol/http/servlet/ServletWebResponse.java
@@ -76,26 +76,26 @@ public class ServletWebResponse extends WebResponse
@Override
public void setContentType(String mimeType)
{
- httpServletResponse.setContentType(sanitize(mimeType));
+ httpServletResponse.setContentType(mimeType);
}
@Override
public void setDateHeader(String name, Time date)
{
Args.notNull(date, "date");
- httpServletResponse.setDateHeader(sanitize(name), date.getMilliseconds());
+ httpServletResponse.setDateHeader(name, date.getMilliseconds());
}
@Override
public void setHeader(String name, String value)
{
- httpServletResponse.setHeader(sanitize(name), sanitize(value));
+ httpServletResponse.setHeader(name, value);
}
@Override
public void addHeader(String name, String value)
{
- httpServletResponse.addHeader(sanitize(name), sanitize(value));
+ httpServletResponse.addHeader(name, value);
}
@Override
@@ -155,7 +155,7 @@ public class ServletWebResponse extends WebResponse
}
else
{
- httpServletResponse.sendError(sc, sanitize(msg));
+ httpServletResponse.sendError(sc, msg);
}
}
catch (IOException e)
@@ -203,7 +203,6 @@ public class ServletWebResponse extends WebResponse
try
{
redirect = true;
- url = sanitize(url);
url = encodeRedirectURL(url);
// wicket redirects should never be cached
@@ -270,16 +269,4 @@ public class ServletWebResponse extends WebResponse
return httpServletResponse;
}
- /**
- * Cleans the provided input (header name or value) from malicious characters.
- *
- * @param input
- * the string to sanitize
- * @return the sanitized string
- */
- String sanitize(final String input)
- {
- String output = input.replace('\n', ' ').replace('\r', ' ');
- return output;
- }
}
http://git-wip-us.apache.org/repos/asf/wicket/blob/2989237b/wicket-core/src/test/java/org/apache/wicket/protocol/http/servlet/ServletWebResponseTest.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/test/java/org/apache/wicket/protocol/http/servlet/ServletWebResponseTest.java b/wicket-core/src/test/java/org/apache/wicket/protocol/http/servlet/ServletWebResponseTest.java
index 756e44f..a51f283 100644
--- a/wicket-core/src/test/java/org/apache/wicket/protocol/http/servlet/ServletWebResponseTest.java
+++ b/wicket-core/src/test/java/org/apache/wicket/protocol/http/servlet/ServletWebResponseTest.java
@@ -102,47 +102,4 @@ public class ServletWebResponseTest extends Assert
}
- /**
- * Verifies that response headers' name and/or values doesn't contain malicious characters
- *
- * https://issues.apache.org/jira/browse/WICKET-4196
- *
- * @throws IOException
- */
- @Test
- public void sanitizeHeaders() throws IOException
- {
- final String badInput = "something\n\rbad\n\r\n";
- final String badUrl = "bad\n\rurl\r\n";
-
- ServletWebRequest webRequest = mock(ServletWebRequest.class);
- when(webRequest.isAjax()).thenReturn(Boolean.FALSE);
-
- MockHttpServletResponse httpServletResponse = new MockHttpServletResponse(null);
-
- ServletWebResponse webResponse = new ServletWebResponse(webRequest, httpServletResponse);
-
- webResponse.addHeader(badInput, "someValue");
- assertNull(httpServletResponse.getHeader(badInput));
- assertEquals(httpServletResponse.getHeader(webResponse.sanitize(badInput)), "someValue");
-
- webResponse.addHeader("someName", badInput);
- assertEquals(httpServletResponse.getHeader("someName"), "something bad ");
-
- webResponse.setHeader(badInput, badInput);
- assertNull(httpServletResponse.getHeader(badInput));
- assertEquals(httpServletResponse.getHeader(webResponse.sanitize(badInput)),
- "something bad ");
-
- Time now = Time.now();
- webResponse.setDateHeader(badInput, now);
- assertNull(httpServletResponse.getHeader(badInput));
- String dateHeaderValue = httpServletResponse.getHeader(webResponse.sanitize(badInput));
- assertNotNull(dateHeaderValue);
- assertEquals(-1, dateHeaderValue.indexOf('\n'));
- assertEquals(-1, dateHeaderValue.indexOf('\r'));
-
- webResponse.sendRedirect(badUrl);
- assertEquals(httpServletResponse.getRedirectLocation(), "bad url ");
- }
}