You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2016/04/19 23:17:25 UTC
[jira] [Commented] (WICKET-6144) Wicket-ajax parameter / header may
be used to bypass proper exception handling
[ https://issues.apache.org/jira/browse/WICKET-6144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15248660#comment-15248660 ]
ASF subversion and git services commented on WICKET-6144:
---------------------------------------------------------
Commit be84f1b3a3737013a059586920f08540066c4471 in wicket's branch refs/heads/wicket-6.x from [~svenmeier]
[ https://git-wip-us.apache.org/repos/asf?p=wicket.git;h=be84f1b ]
WICKET-6144 guard against invalid value
> Wicket-ajax parameter / header may be used to bypass proper exception handling
> ------------------------------------------------------------------------------
>
> Key: WICKET-6144
> URL: https://issues.apache.org/jira/browse/WICKET-6144
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 6.22.0
> Reporter: Christian Oldiges
> Assignee: Sven Meier
>
> WebRequest.isAjax() throws an exception if any value that cannot be properly decoded into a Boolean is used either for the "wicket-ajax" request parameter or the "Wicket-Ajax" request header.
> Example: http://localhost:8080/wicketapp/?wicket-ajax=sdfgs results ins
> {code}
> org.apache.wicket.util.string.StringValueConversionException: Boolean value "sdfgs" not recognized
> at org.apache.wicket.util.string.Strings.isTrue(Strings.java:623)
> at org.apache.wicket.request.http.WebRequest.isAjax(WebRequest.java:117)
> at org.apache.wicket.markup.html.WebPage.dirty(WebPage.java:327)
> at org.apache.wicket.Page.dirty(Page.java:248)
> at org.apache.wicket.Page.componentStateChanging(Page.java:937)
> at org.apache.wicket.Component.addStateChange(Component.java:3512)
> at org.apache.wicket.Behaviors.add(Behaviors.java:55)
> at org.apache.wicket.Component.add(Component.java:4506)
> {code}
> WebRequest.isAjax() is called for dirty-flag handling when a component is added to a page. So any useful wicket page triggers a call to this method which is also true for most error handling page that get initialized during exception handling e.g. in RequestCycleListener.onException().
> So, using a very simple attack URL may bypass the intended wicket exception handling code.
> A possible fix in WebRequest:
> {code}
> public boolean isAjax()
> {
> return Strings.isTrue(getHeader(HEADER_AJAX)) || Strings.isTrue(getRequestParameters().getParameterValue(PARAM_AJAX).toString());
> }
> {code}
> becomes
> {code}
> public boolean isAjax()
> {
> try {
> return Strings.isTrue(getHeader(HEADER_AJAX)) || Strings.isTrue(getRequestParameters().getParameterValue(PARAM_AJAX).toString());
> } catch (Exception e) {
> // add some logging here!
> return false;
> }
> }
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)