You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Martin Grigorov (JIRA)" <ji...@apache.org> on 2011/03/04 10:26:37 UTC
[jira] Assigned: (WICKET-3498) Entering huge strings in TextFields causes IllegalStateExceptions not caught by the Framework

     [ https://issues.apache.org/jira/browse/WICKET-3498?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Martin Grigorov reassigned WICKET-3498:
---------------------------------------

    Assignee: Martin Grigorov

> Entering huge strings in TextFields causes IllegalStateExceptions not caught by the Framework
> ---------------------------------------------------------------------------------------------
>
>                 Key: WICKET-3498
>                 URL: https://issues.apache.org/jira/browse/WICKET-3498
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 1.4.15, 1.4.16, 1.4.17
>         Environment: Wicket 1.4.x/Spring/Jetty 6
>            Reporter: Georg Hartner
>            Assignee: Martin Grigorov
>              Labels: IllegalStateException,, Jetty, ServletWebRequest
>   Original Estimate: 5h
>  Remaining Estimate: 5h
>
> We were testing a signin mechanism and entered a huge amount of chars in "username" and "password" fields contained by a form. (more than 200.000 chars) This results in an IllegalStateException thrown by Jetty, which is ok from my point of view. The problem is that the full exception stack trace (!!!) is shown to the client => the resulting execution leaves the scope of Wicket framework, which can't handle the exception correctly. Error Page and Stack Trace for Jetty 6 and Wicket 1.4.15:
> HTTP ERROR 500
> Problem accessing /login/wicket:interface/:0:loginPanel:signInForm::IFormSubmitListener::. Reason:
>     Form too large3791446>200000
> Caused by:
> java.lang.IllegalStateException: Form too large3791446>200000
> 	at org.mortbay.jetty.Request.extractParameters(Request.java:1561)
> 	at org.mortbay.jetty.Request.getParameter(Request.java:859)
> 	at org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:83)
> 	at org.apache.wicket.protocol.http.WebApplication.newWebRequest(WebApplication.java:675)
> 	at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:424)
> 	at org.apache.wicket.protocol.http.WicketServlet.doPost(WicketServlet.java:160)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
> 	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
> 	at {filter}
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
> 	at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
> 	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
> 	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
> 	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
> 	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
> 	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
> 	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
> 	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
> 	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
> 	at org.mortbay.jetty.Server.handle(Server.java:326)
> 	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
> 	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
> 	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
> 	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
> 	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
> 	at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
> 	at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:713)
> 	at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
> We suggest an easy fix: catch the IllegalStateException in line 83 of org.apache.wicket.protocol.http.servlet.ServletWebRequest and just log an error (please check whether it really has to be an error to be logged). In effect no ajaxHeader will be read and an Wicket's Internal Error page will be shown:
> Possible solution in Wicket 1.4.15, 1.4.17 (didn't check 1.4.16), ServletWebRequest, line 83:
> 		try
> 		{
> 			if (Strings.isEmpty(ajaxHeader))
> 				ajaxHeader = httpServletRequest.getParameter("wicket:ajax");
> 		}
> 		catch (IllegalStateException exception)
> 		{
> 			log.error("IllegalStateException occured reading \"wicket:ajax\"-Parameter: " +
> 				exception.getMessage());
> 		}
> Please consider checking Wicket 1.5. I just checked ServletWebRequest, which has been refactored apparently. Line 214 (Enumeration<String> e = httpServletRequest.getHeaders(name);) may be critical, as well as methods protected Map<String, List<StringValue>> generatePostParameters() and getQueryParameters(). Couldn't check that by now. Please let me know, if you want me to analyze that error more intensely and suggest a fix in Wicket 1.5. We consider that bug as "Major" or "Critical", as the whole Servlet Container StackTrace is potentially displayed.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira