You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Stanislav Dvorscak (JIRA)" <ji...@apache.org> on 2010/10/07 14:02:33 UTC
[jira] Created: (WICKET-3098) AjaxEventBehavior#onEvent is invoked
on disabled behavior
AjaxEventBehavior#onEvent is invoked on disabled behavior
---------------------------------------------------------
Key: WICKET-3098
URL: https://issues.apache.org/jira/browse/WICKET-3098
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.9
Reporter: Stanislav Dvorscak
Priority: Critical
Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922100#action_12922100 ]
Igor Vaynberg commented on WICKET-3098:
---------------------------------------
a more likely scenario is that the user overrode isenabled() on the component or behavior, and at the time of the callback it returns false. another one is that the client messed around with the url and change the behavior index.
anyways, it is handled just like a click on a disabled component.
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (WICKET-3098) AjaxEventBehavior#onEvent is invoked
on disabled behavior
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Vaynberg resolved WICKET-3098.
-----------------------------------
Resolution: Fixed
Fix Version/s: 1.5-M3
1.4.13
Assignee: Igor Vaynberg
good catch, thanks
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Igor Vaynberg (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922343#action_12922343 ]
Igor Vaynberg commented on WICKET-3098:
---------------------------------------
fxed, thanks.
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch, patch.txt
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12921090#action_12921090 ]
Hudson commented on WICKET-3098:
--------------------------------
Integrated in Apache Wicket 1.5.x #402 (See [https://hudson.apache.org/hudson/job/Apache%20Wicket%201.5.x/402/])
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922089#action_12922089 ]
Pedro Santos commented on WICKET-3098:
--------------------------------------
Why silent return the call rather then throw page expired exception? The only use case that I can imagine now is:
- add an enabled component + ajax behavior
- processing some ajax request, disable the component and don't add it to target
Result: page is presenting an expired component state, the current one is disable.
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12922350#action_12922350 ]
Hudson commented on WICKET-3098:
--------------------------------
Integrated in Apache Wicket 1.5.x #419 (See [https://hudson.apache.org/hudson/job/Apache%20Wicket%201.5.x/419/])
Issue: WICKET-3098
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch, patch.txt
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Stanislav Dvorscak (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12918923#action_12918923 ]
Stanislav Dvorscak commented on WICKET-3098:
--------------------------------------------
Yes, it is easy to fix.
It should be in the same way as on all other places.
Because if something is disabled, it should be inaccessible.
The AjaxFormSubmitBehavior is more dangerous. And it extends this class.
Disabled behavior can start the form processing. And I think it is dangerous.
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3098) AjaxEventBehavior#onEvent is invoked
on disabled behavior
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos updated WICKET-3098:
---------------------------------
Attachment: patch.txt
an test case preventing the bug plus a missing else clause :)
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch, patch.txt
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3098) AjaxEventBehavior#onEvent is invoked
on disabled behavior
Posted by "Pedro Santos (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Pedro Santos updated WICKET-3098:
---------------------------------
Attachment: BehaviorRequestTarget.java.patch
An path preventing the disable behavior call at the request target
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (WICKET-3098) AjaxEventBehavior#onEvent is
invoked on disabled behavior
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12921082#action_12921082 ]
Hudson commented on WICKET-3098:
--------------------------------
Integrated in Apache Wicket 1.4.x #204 (See [https://hudson.apache.org/hudson/job/Apache%20Wicket%201.4.x/204/])
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
> Assignee: Igor Vaynberg
> Fix For: 1.4.13, 1.5-M3
>
> Attachments: BehaviorRequestTarget.java.patch
>
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (WICKET-3098) AjaxEventBehavior#onEvent is invoked
on disabled behavior
Posted by "Martin Grigorov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-3098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov updated WICKET-3098:
------------------------------------
Priority: Major (was: Critical)
It should be easy to fix. But why it is so serious problem ?
> AjaxEventBehavior#onEvent is invoked on disabled behavior
> ---------------------------------------------------------
>
> Key: WICKET-3098
> URL: https://issues.apache.org/jira/browse/WICKET-3098
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.9
> Reporter: Stanislav Dvorscak
>
> Security bug AjaxEventBehavior#onEvent is invoked on disabled behavior. It should not be - it is really dangerous, can you fix it.
> I think it is security bug.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.