You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Jörn Zaefferer (JIRA)" <ji...@apache.org> on 2009/07/24 16:27:14 UTC
[jira] Updated: (WICKET-2397) Major security hole affecting
required text fields
[ https://issues.apache.org/jira/browse/WICKET-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jörn Zaefferer updated WICKET-2397:
-----------------------------------
Attachment: nullable-test.zip
A simple web application (exported Eclipse project; Maven config intact) with a Jetty/Start/main and a single page for reproducing the issue.
The page has a single required text field that gets disabled by JavaScript, which causes onSubmit to be executed with a null model value.
> Major security hole affecting required text fields
> --------------------------------------------------
>
> Key: WICKET-2397
> URL: https://issues.apache.org/jira/browse/WICKET-2397
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.3.7, 1.4-M1, 1.4-M2, 1.4-M3, 1.4-RC1, 1.4-RC2, 1.4-RC3, 1.4-RC4, 1.4-RC5, 1.4-RC6, 1.4-RC7
> Reporter: Jörn Zaefferer
> Priority: Blocker
> Attachments: nullable-test.zip
>
>
> AbstractTextComponent overrides isInputNullable to return false, instead of the default true, defined in FormComponent. FormComponent#checkRequired uses isInputNullable to check if an input was disabled. That makes it possible to submit a form with a required field without that field, completely skipping the validation (forms onSubmit is called). We consider this a wide open security hole, as basically any form with a required text field, relying on the required-validation, is affected.
> The hole can easily be exploited by not removing certain fields from a form submit, eg. by removing them from the DOM via Firebug (then doing a regular submit), or forging the complete request with an appropriate tool.
> From what is commented on isInputNullable, it seems like the check should actually be replaced with an actual check of enabled/disabled methods/properties. A required input is only optional, when it is actually not enabled (on the serverside), not just because its key/value pair is missing in the request.
> I''ll attach a test application.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.