You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2012/01/11 17:08:47 UTC

git commit: WICKET-4275 URL parameters containing a single quote are incorrectly escaped

Updated Branches:
  refs/heads/wicket-1.4.x 6fec67349 -> d841a285b


WICKET-4275
URL parameters containing a single quote are incorrectly escaped


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d841a285
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d841a285
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d841a285

Branch: refs/heads/wicket-1.4.x
Commit: d841a285b21bef9ba8f8bacead7bda862465df8d
Parents: 6fec673
Author: martin-g <mg...@apache.org>
Authored: Wed Jan 11 18:08:15 2012 +0200
Committer: martin-g <mg...@apache.org>
Committed: Wed Jan 11 18:08:15 2012 +0200

----------------------------------------------------------------------
 .../main/java/org/apache/wicket/RequestCycle.java  |   31 ++++++++++++++-
 1 files changed, 29 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/d841a285/wicket/src/main/java/org/apache/wicket/RequestCycle.java
----------------------------------------------------------------------
diff --git a/wicket/src/main/java/org/apache/wicket/RequestCycle.java b/wicket/src/main/java/org/apache/wicket/RequestCycle.java
index 8a01a22..6a301f8 100644
--- a/wicket/src/main/java/org/apache/wicket/RequestCycle.java
+++ b/wicket/src/main/java/org/apache/wicket/RequestCycle.java
@@ -44,7 +44,6 @@ import org.apache.wicket.request.target.component.listener.ListenerInterfaceRequ
 import org.apache.wicket.request.target.resource.SharedResourceRequestTarget;
 import org.apache.wicket.util.collections.ArrayListStack;
 import org.apache.wicket.util.string.AppendingStringBuffer;
-import org.apache.wicket.util.string.JavascriptUtils;
 import org.apache.wicket.util.string.Strings;
 import org.apache.wicket.util.time.Time;
 import org.apache.wicket.util.value.ValueMap;
@@ -810,12 +809,40 @@ public abstract class RequestCycle
 	private final CharSequence encodeUrlFor(final IRequestTarget requestTarget)
 	{
 		CharSequence url = getProcessor().getRequestCodingStrategy().encode(this, requestTarget);
-		url = JavascriptUtils.escapeQuotes(url);
+		url = cutNilChar(url);
 		urlForNewWindowEncoding = false;
 		return url;
 	}
 
 	/**
+	 * Removes any occurrence of \u0000 char and everything after it.
+	 *
+	 * @param input
+	 *      the CharSequence to process
+	 * @return
+	 *      a CharSequence without \u0000 in it
+	 */
+	// WICKET-4275, CVE-2011-2712
+	private CharSequence cutNilChar(CharSequence input)
+	{
+		StringBuilder result = new StringBuilder();
+		int length = input.length();
+		for (int i = 0; i < length; i++)
+		{
+			char c = input.charAt(i);
+			if (c == '\u0000')
+			{
+				break;
+			}
+			else {
+				result.append(c);
+			}
+		}
+
+		return result;
+	}
+	
+	/**
 	 * Returns a bookmarkable URL that references a given page class using a given set of page
 	 * parameters. Since the URL which is returned contains all information necessary to instantiate
 	 * and render the page, it can be stored in a user's browser as a stable bookmark.