You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Gereon Steffens <Ge...@finanzen100.de> on 2011/12/01 17:45:05 UTC
Backslash-Escaping of single quotes in URLs?
Hi,
I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding.
If a parameter value contains a single quote, these quotes are now
preceeded by a backslash (this happens in RequestCycle#encodeUrlFor).
Why is this done? I've never heard of backslash-escaping in relation to
URLs.
As far as I can tell, this also breaks compatibility with apps/sites that
now need additional code to parse parameters like
example.com?param=a'b which is now represented as param=a\'b. Even if the
backslash were necessary in a URL, it should be URL-escaped as %5c.
Am I missing something?
Regards
Gereon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Gereon Steffens <Ge...@finanzen100.de>.
Well, nothing in RFC 2396 talks about using backslashes to escape anything
(or at least I can't find it). What it does say is that unescaped
backslash characters in URLs are invalid, since they must be encoded as
%5c. (see the comment in WicketURLEncoder's constructor).
So, from my point of view there are two problems: backslash-escaping
single and double quotes (that's what JavascriptUtils#escapeQuotes
does) isn't mandated by the RFC and creates problems when creating URLs
hat others may need to parse, because they're not likely to follow this
unusual escaping method.
Secondly, even when doing this escaping is deemed OK, leaving an unescaped
backslash in the URL clearly violates the RFC.
I'll play with the demo app later and see what I find.
Gereon
I haven't had the time to look into cvs-2011-2712 closely, but
Am 01.12.11 18:59 schrieb "Igor Vaynberg" unter <ig...@gmail.com>:
>Gereon, can you take a look...
>
>-igor
>
>On Thu, Dec 1, 2011 at 9:58 AM, Martin Grigorov <mg...@apache.org>
>wrote:
>> dig the demo application and try
>> maybe I didn't test it properly...
>>
>> On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <ig...@gmail.com>
>>wrote:
>>> the question is, should we be escaping them with the backslash or with
>>> the url-coding?
>>>
>>> -igor
>>>
>>> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <mg...@apache.org>
>>>wrote:
>>>> The commit message doesn't say it, but yes this is the fix for this
>>>> security problem.
>>>> There is a way to attack the application with the URL encoded version.
>>>>
>>>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg
>>>><ig...@gmail.com> wrote:
>>>>> this was done in r1150391 by martin for
>>>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html
>>>>>
>>>>> -igor
>>>>>
>>>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
>>>>> <Ge...@finanzen100.de> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter
>>>>>>encoding.
>>>>>> If a parameter value contains a single quote, these quotes are now
>>>>>> preceeded by a backslash (this happens in
>>>>>>RequestCycle#encodeUrlFor).
>>>>>>
>>>>>> Why is this done? I've never heard of backslash-escaping in
>>>>>>relation to
>>>>>> URLs.
>>>>>>
>>>>>> As far as I can tell, this also breaks compatibility with
>>>>>>apps/sites that
>>>>>> now need additional code to parse parameters like
>>>>>> example.com?param=a'b which is now represented as param=a\'b. Even
>>>>>>if the
>>>>>> backslash were necessary in a URL, it should be URL-escaped as %5c.
>>>>>>
>>>>>> Am I missing something?
>>>>>>
>>>>>> Regards
>>>>>> Gereon
>>>>>>
>>>>>>
>>>>>>
>>>>>>---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Martin Grigorov
>>>> jWeekend
>>>> Training, Consulting, Development
>>>> http://jWeekend.com
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Martin Grigorov
>> jWeekend
>> Training, Consulting, Development
>> http://jWeekend.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Gereon Steffens
Teamleiter Entwicklung
Tel: +49 221 677882-42
Fax: +49 221 677882-43
E-Mail: gereon.steffens@finanzen100.de
Internet: http://www.finanzen100.de/
iPhone, iPad, Android: http://www.finanzen100.de/apps/
Finanzen100 GmbH, Lichtstraße 38, 50825 Köln
Geschäftsführer: Oliver Eckert
Sitz: Köln, Amtsgericht Köln HRB 64201
USt-IdNr.: DE 265105310
Folgen Sie uns auf Twitter: http://twitter.com/Finanzen100 und
http://twitter.com/Finanzen100News
Besuchen Sie uns auf Facebook: http://www.facebook.com/Finanzen100
----------------
Ein Unternehmen der TOMORROW FOCUS AG http://www.tomorrow-focus.de
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Gereon Steffens <Ge...@finanzen100.de>.
I've created WICKET-4275 for this, including a quickstart.
Gereon
Am 01.12.11 18:59 schrieb "Igor Vaynberg" unter <ig...@gmail.com>:
>Gereon, can you take a look...
>
>-igor
>
>On Thu, Dec 1, 2011 at 9:58 AM, Martin Grigorov <mg...@apache.org>
>wrote:
>> dig the demo application and try
>> maybe I didn't test it properly...
>>
>> On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <ig...@gmail.com>
>>wrote:
>>> the question is, should we be escaping them with the backslash or with
>>> the url-coding?
>>>
>>> -igor
>>>
>>> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <mg...@apache.org>
>>>wrote:
>>>> The commit message doesn't say it, but yes this is the fix for this
>>>> security problem.
>>>> There is a way to attack the application with the URL encoded version.
>>>>
>>>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg
>>>><ig...@gmail.com> wrote:
>>>>> this was done in r1150391 by martin for
>>>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html
>>>>>
>>>>> -igor
>>>>>
>>>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
>>>>> <Ge...@finanzen100.de> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter
>>>>>>encoding.
>>>>>> If a parameter value contains a single quote, these quotes are now
>>>>>> preceeded by a backslash (this happens in
>>>>>>RequestCycle#encodeUrlFor).
>>>>>>
>>>>>> Why is this done? I've never heard of backslash-escaping in
>>>>>>relation to
>>>>>> URLs.
>>>>>>
>>>>>> As far as I can tell, this also breaks compatibility with
>>>>>>apps/sites that
>>>>>> now need additional code to parse parameters like
>>>>>> example.com?param=a'b which is now represented as param=a\'b. Even
>>>>>>if the
>>>>>> backslash were necessary in a URL, it should be URL-escaped as %5c.
>>>>>>
>>>>>> Am I missing something?
>>>>>>
>>>>>> Regards
>>>>>> Gereon
>>>>>>
>>>>>>
>>>>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Igor Vaynberg <ig...@gmail.com>.
Gereon, can you take a look...
-igor
On Thu, Dec 1, 2011 at 9:58 AM, Martin Grigorov <mg...@apache.org> wrote:
> dig the demo application and try
> maybe I didn't test it properly...
>
> On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <ig...@gmail.com> wrote:
>> the question is, should we be escaping them with the backslash or with
>> the url-coding?
>>
>> -igor
>>
>> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <mg...@apache.org> wrote:
>>> The commit message doesn't say it, but yes this is the fix for this
>>> security problem.
>>> There is a way to attack the application with the URL encoded version.
>>>
>>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg <ig...@gmail.com> wrote:
>>>> this was done in r1150391 by martin for
>>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html
>>>>
>>>> -igor
>>>>
>>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
>>>> <Ge...@finanzen100.de> wrote:
>>>>> Hi,
>>>>>
>>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding.
>>>>> If a parameter value contains a single quote, these quotes are now
>>>>> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor).
>>>>>
>>>>> Why is this done? I've never heard of backslash-escaping in relation to
>>>>> URLs.
>>>>>
>>>>> As far as I can tell, this also breaks compatibility with apps/sites that
>>>>> now need additional code to parse parameters like
>>>>> example.com?param=a'b which is now represented as param=a\'b. Even if the
>>>>> backslash were necessary in a URL, it should be URL-escaped as %5c.
>>>>>
>>>>> Am I missing something?
>>>>>
>>>>> Regards
>>>>> Gereon
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>>
>>>
>>>
>>>
>>> --
>>> Martin Grigorov
>>> jWeekend
>>> Training, Consulting, Development
>>> http://jWeekend.com
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
>
> --
> Martin Grigorov
> jWeekend
> Training, Consulting, Development
> http://jWeekend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Martin Grigorov <mg...@apache.org>.
dig the demo application and try
maybe I didn't test it properly...
On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <ig...@gmail.com> wrote:
> the question is, should we be escaping them with the backslash or with
> the url-coding?
>
> -igor
>
> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <mg...@apache.org> wrote:
>> The commit message doesn't say it, but yes this is the fix for this
>> security problem.
>> There is a way to attack the application with the URL encoded version.
>>
>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg <ig...@gmail.com> wrote:
>>> this was done in r1150391 by martin for
>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html
>>>
>>> -igor
>>>
>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
>>> <Ge...@finanzen100.de> wrote:
>>>> Hi,
>>>>
>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding.
>>>> If a parameter value contains a single quote, these quotes are now
>>>> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor).
>>>>
>>>> Why is this done? I've never heard of backslash-escaping in relation to
>>>> URLs.
>>>>
>>>> As far as I can tell, this also breaks compatibility with apps/sites that
>>>> now need additional code to parse parameters like
>>>> example.com?param=a'b which is now represented as param=a\'b. Even if the
>>>> backslash were necessary in a URL, it should be URL-escaped as %5c.
>>>>
>>>> Am I missing something?
>>>>
>>>> Regards
>>>> Gereon
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>>
>>
>>
>>
>> --
>> Martin Grigorov
>> jWeekend
>> Training, Consulting, Development
>> http://jWeekend.com
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Igor Vaynberg <ig...@gmail.com>.
the question is, should we be escaping them with the backslash or with
the url-coding?
-igor
On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <mg...@apache.org> wrote:
> The commit message doesn't say it, but yes this is the fix for this
> security problem.
> There is a way to attack the application with the URL encoded version.
>
> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg <ig...@gmail.com> wrote:
>> this was done in r1150391 by martin for
>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html
>>
>> -igor
>>
>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
>> <Ge...@finanzen100.de> wrote:
>>> Hi,
>>>
>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding.
>>> If a parameter value contains a single quote, these quotes are now
>>> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor).
>>>
>>> Why is this done? I've never heard of backslash-escaping in relation to
>>> URLs.
>>>
>>> As far as I can tell, this also breaks compatibility with apps/sites that
>>> now need additional code to parse parameters like
>>> example.com?param=a'b which is now represented as param=a\'b. Even if the
>>> backslash were necessary in a URL, it should be URL-escaped as %5c.
>>>
>>> Am I missing something?
>>>
>>> Regards
>>> Gereon
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>>> For additional commands, e-mail: users-help@wicket.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
>
>
>
> --
> Martin Grigorov
> jWeekend
> Training, Consulting, Development
> http://jWeekend.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Martin Grigorov <mg...@apache.org>.
The commit message doesn't say it, but yes this is the fix for this
security problem.
There is a way to attack the application with the URL encoded version.
On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg <ig...@gmail.com> wrote:
> this was done in r1150391 by martin for
> http://wicket.apache.org/2011/08/23/cve-2011-2712.html
>
> -igor
>
> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
> <Ge...@finanzen100.de> wrote:
>> Hi,
>>
>> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding.
>> If a parameter value contains a single quote, these quotes are now
>> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor).
>>
>> Why is this done? I've never heard of backslash-escaping in relation to
>> URLs.
>>
>> As far as I can tell, this also breaks compatibility with apps/sites that
>> now need additional code to parse parameters like
>> example.com?param=a'b which is now represented as param=a\'b. Even if the
>> backslash were necessary in a URL, it should be URL-escaped as %5c.
>>
>> Am I missing something?
>>
>> Regards
>> Gereon
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>
--
Martin Grigorov
jWeekend
Training, Consulting, Development
http://jWeekend.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Backslash-Escaping of single quotes in URLs?
Posted by Igor Vaynberg <ig...@gmail.com>.
this was done in r1150391 by martin for
http://wicket.apache.org/2011/08/23/cve-2011-2712.html
-igor
On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens
<Ge...@finanzen100.de> wrote:
> Hi,
>
> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding.
> If a parameter value contains a single quote, these quotes are now
> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor).
>
> Why is this done? I've never heard of backslash-escaping in relation to
> URLs.
>
> As far as I can tell, this also breaks compatibility with apps/sites that
> now need additional code to parse parameters like
> example.com?param=a'b which is now represented as param=a\'b. Even if the
> backslash were necessary in a URL, it should be URL-escaped as %5c.
>
> Am I missing something?
>
> Regards
> Gereon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org