You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Martijn Dashorst (JIRA)" <ji...@apache.org> on 2015/07/08 13:09:05 UTC
[jira] [Resolved] (WICKET-5944) CSRF prevention does not work with
https URLs on the default port
[ https://issues.apache.org/jira/browse/WICKET-5944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martijn Dashorst resolved WICKET-5944.
--------------------------------------
Resolution: Fixed
Assignee: Martijn Dashorst
Fix Version/s: 6.21.0
7.0.0
> CSRF prevention does not work with https URLs on the default port
> -----------------------------------------------------------------
>
> Key: WICKET-5944
> URL: https://issues.apache.org/jira/browse/WICKET-5944
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 6.20.0
> Reporter: Alex Grant
> Assignee: Martijn Dashorst
> Fix For: 7.0.0, 6.21.0
>
>
> If your URL is https on the default port (so no :443 on the end), then the CSRF prevention (WICKET-5919) rejects requests with the Origin header supplied.
> In CsrfPreventionRequestCycleListener, line 519 looks like this
> if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443)
> So the port != -1 test binds only to the "http" half of the or statement, and the if block executes, which appends ":-1" to the end of the "https" URL. I think it should instead say
> if (port != -1 && ("http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443))
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)