You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Alex Grant (JIRA)" <ji...@apache.org> on 2015/07/08 06:26:04 UTC

[jira] [Updated] (WICKET-5944) CSRF prevention does not work with https URLs on the default port

     [ https://issues.apache.org/jira/browse/WICKET-5944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alex Grant updated WICKET-5944:
-------------------------------
    Summary: CSRF prevention does not work with https URLs on the default port  (was: CSRF prevention does not work with https URLS on the default port)

> CSRF prevention does not work with https URLs on the default port
> -----------------------------------------------------------------
>
>                 Key: WICKET-5944
>                 URL: https://issues.apache.org/jira/browse/WICKET-5944
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 6.20.0
>            Reporter: Alex Grant
>
> If your URL is https on the default port (so no :443 on the end), then the CSRF prevention (WICKET-5919) rejects requests with the Origin header supplied.
> In CsrfPreventionRequestCycleListener, line 519 looks like this
> if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443)
> So the port != -1 test binds only to the "http" half of the or statement, and the if block executes, which appends ":-1" to the end of the "https" URL. I think it should instead say
> if (port != -1 && ("http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443))



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)