You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Jörn Zaefferer (JIRA)" <ji...@apache.org> on 2009/07/24 16:27:14 UTC

[jira] Updated: (WICKET-2397) Major security hole affecting required text fields

     [ https://issues.apache.org/jira/browse/WICKET-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jörn Zaefferer updated WICKET-2397:
-----------------------------------

    Attachment: nullable-test.zip

A simple web application (exported Eclipse project; Maven config intact) with a Jetty/Start/main and a single page for reproducing the issue.

The page has a single required text field that gets disabled by JavaScript, which causes onSubmit to be executed with a null model value.

> Major security hole affecting required text fields
> --------------------------------------------------
>
>                 Key: WICKET-2397
>                 URL: https://issues.apache.org/jira/browse/WICKET-2397
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.3.7, 1.4-M1, 1.4-M2, 1.4-M3, 1.4-RC1, 1.4-RC2, 1.4-RC3, 1.4-RC4, 1.4-RC5, 1.4-RC6, 1.4-RC7
>            Reporter: Jörn Zaefferer
>            Priority: Blocker
>         Attachments: nullable-test.zip
>
>
> AbstractTextComponent overrides isInputNullable to return false, instead of the default true, defined in FormComponent. FormComponent#checkRequired uses isInputNullable to check if an input was disabled. That makes it possible to submit a form with a required field without that field, completely skipping the validation (forms onSubmit is called). We consider this a wide open security hole, as basically any form with a required text field, relying on the required-validation, is affected.
> The hole can easily be exploited by not removing certain fields from a form submit, eg. by removing them from the DOM via Firebug (then doing a regular submit), or forging the complete request with an appropriate tool.
> From what is commented on isInputNullable, it seems like the check should actually be replaced with an actual check of enabled/disabled methods/properties. A required input is only optional, when it is actually not enabled (on the serverside), not just because its key/value pair is missing in the request.
> I''ll attach a test application.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.