You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Alex Grant (JIRA)" <ji...@apache.org> on 2015/07/08 06:24:04 UTC
[jira] [Created] (WICKET-5944) CSRF prevention does not work with
https URLS on the default port
Alex Grant created WICKET-5944:
----------------------------------
Summary: CSRF prevention does not work with https URLS on the default port
Key: WICKET-5944
URL: https://issues.apache.org/jira/browse/WICKET-5944
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 6.20.0
Reporter: Alex Grant
If your URL is https on the default port (so no :443 on the end), then the CSRF prevention (WICKET-5919) rejects requests with the Origin header supplied.
In CsrfPreventionRequestCycleListener, line 519 looks like this
if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443)
So the port != -1 test binds only to the "http" half of the or statement, and the if block executes, which appends ":-1" to the end of the "https" URL. I think it should instead say
if (port != -1 && ("http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443))
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)