You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "Alex Grant (JIRA)" <ji...@apache.org> on 2015/07/08 06:24:04 UTC

[jira] [Created] (WICKET-5944) CSRF prevention does not work with https URLS on the default port

Alex Grant created WICKET-5944:
----------------------------------

             Summary: CSRF prevention does not work with https URLS on the default port
                 Key: WICKET-5944
                 URL: https://issues.apache.org/jira/browse/WICKET-5944
             Project: Wicket
          Issue Type: Bug
          Components: wicket
    Affects Versions: 6.20.0
            Reporter: Alex Grant


If your URL is https on the default port (so no :443 on the end), then the CSRF prevention (WICKET-5919) rejects requests with the Origin header supplied.

In CsrfPreventionRequestCycleListener, line 519 looks like this

if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443)

So the port != -1 test binds only to the "http" half of the or statement, and the if block executes, which appends ":-1" to the end of the "https" URL. I think it should instead say

if (port != -1 && ("http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443))




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)