You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sebastiaan van Erk (Created) (JIRA)" <ji...@apache.org> on 2012/02/23 20:40:49 UTC
[jira] [Created] (WICKET-4427) possible to bypass
PackageResourceGuard
possible to bypass PackageResourceGuard
---------------------------------------
Key: WICKET-4427
URL: https://issues.apache.org/jira/browse/WICKET-4427
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.18
Reporter: Sebastiaan van Erk
It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Martin Grigorov (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-4427.
-------------------------------------
Resolution: Fixed
Fix Version/s: 6.0.0
1.5.5
1.4.20
Assignee: Martin Grigorov
Thanks!
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Peter Ertl (Closed) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl closed WICKET-4427.
------------------------------
Resolution: Invalid
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) test
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4427:
---------------------------------------
Comment: was deleted
(was: Hi,
Thanks for looking at this issue, but I have several issues with the proposed fix.
1) It does not address the real problem: why is a file "x%20" resolved to "x" on the file system in the first place (if I request x%20 then I expect it to open x%20 and not x).
2) PackageResourceGuard is an implementation of an interface, namely of IPackageResourceGuard with one method boolean accept(final Class<?> scope, final String path). As it stands, the same problem can occur with other implementations, and in fact, it is strange that if I accept "x%20" for whatever reason with this *interface*, that it should suddenly return a resource with a different path.
When debugging to find the real reason this went wrong, I found it to be related to this code:
public ExtensionResourceNameIterator(String path, final String extension)
{
if ((extension == null) && (path.indexOf('.') != -1))
{
// Get the extension from the path provided
extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
path = Strings.beforeLastPathComponent(path, '.');
}
else if (extension != null)
{
// Extension can be a comma separated list
extensions = Strings.split(extension, ',');
for (int i = extensions.length - 1; i >= 0; i--)
{
extensions[i] = extensions[i].trim();
if (!extensions[i].startsWith("."))
{
extensions[i] = "." + extensions[i];
}
}
}
else
{
extensions = new String[1];
extensions[0] = ".";
}
this.path = path;
index = 0;
}
Basically, this enumerator gets passed the real extension of the file, *and then processes it*, *AFTER THE RESOURCE GUARD CHECK HAS ALREADY BEEN DONE*.
I don't know at which point it is necessary to initialize this iterator from a single string containing a comma separated list of extensions, but to split this string and process it here is doing it at the wrong level because it cannot distinguish between 1 extension with a comma in it and multiple extensions and also not (due to the trim) between extensions with leading or trailing white space. The splitting should probably be being done at the point where the extension is clearly a value from configuration property.
All in all, the previous fix did not actually fix the problem, it just removed a symptom of the problem for one implementation of IPackageResourceGuard.
To prove this, note that the above extension processing does two things: split on , and trim. This means that another way to subvert the check is to use the extension ".properties,xml", i.e., using the url:
http://localhost:8080/wicket-4427/resources/test/test.properties,xml)
> test
> ----
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Test
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Sebastiaan van Erk (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215699#comment-13215699 ]
Sebastiaan van Erk commented on WICKET-4427:
--------------------------------------------
Hi,
Thanks for looking at this issue, but I have several issues with the proposed fix.
1) It does not address the real problem: why is a file "x%20" resolved to "x" on the file system in the first place (if I request x%20 then I expect it to open x%20 and not x).
2) PackageResourceGuard is an implementation of an interface, namely of IPackageResourceGuard with one method boolean accept(final Class<?> scope, final String path). As it stands, the same problem can occur with other implementations, and in fact, it is strange that if I accept "x%20" for whatever reason with this *interface*, that it should suddenly return a resource with a different path.
When debugging to find the real reason this went wrong, I found it to be related to this code:
public ExtensionResourceNameIterator(String path, final String extension)
{
if ((extension == null) && (path.indexOf('.') != -1))
{
// Get the extension from the path provided
extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
path = Strings.beforeLastPathComponent(path, '.');
}
else if (extension != null)
{
// Extension can be a comma separated list
extensions = Strings.split(extension, ',');
for (int i = extensions.length - 1; i >= 0; i--)
{
extensions[i] = extensions[i].trim();
if (!extensions[i].startsWith("."))
{
extensions[i] = "." + extensions[i];
}
}
}
else
{
extensions = new String[1];
extensions[0] = ".";
}
this.path = path;
index = 0;
}
Basically, this enumerator get the real extension of the file, *and then processes it*, *AFTER THE RESOURCE GUARD CHECK HAS ALREADY BEEN DONE*.
I don't know at which point it is necessary to initialize this iterator from a single string containing a comma separated list of extensions, but to split this string and process it here is doing it at the wrong level because it cannot distinguish between 1 extension with a comma in it and multiple extensions, but it also trims (processing which just shouldn't be done here). The splitting should probably be being done at the point where the extension is clearly value of configuration property.
All in all, the previous fix did not actually fix the problem, it just removed a symptom of the problem for one implemementation of IPackageResourceGuard.
To prove this, note that the above extension processing does two things: split on , and trim. This means that another way to subvert the check is to use the extension ".properties,xml", i.e., using the url:
http://localhost:8080/wicket-4427/resources/test/test.properties,xml
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Johan Compagner (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Johan Compagner reopened WICKET-4427:
-------------------------------------
Sebastiaan reports that the fix doesn't fix the issue.
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Peter Ertl (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216033#comment-13216033 ]
Peter Ertl commented on WICKET-4427:
------------------------------------
I agree this is a bug that needs a quick fix, as a workaround in the meantime I recommend anybody readying this ticket to use
org.apache.wicket.markup.html.SecurePackageResourceGuard
which does by default 'deny all' and is a lot more secure anyway.
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) test
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4427:
---------------------------------------
Attachment: (was: wicket-4427.zip)
> test
> ----
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Test
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Martin Grigorov (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215479#comment-13215479 ]
Martin Grigorov commented on WICKET-4427:
-----------------------------------------
I cannot reproduce this problem.
Please either attach a quickstart or a patch for org.apache.wicket.markup.html.SecurePackageResourceGuardTest that shows the problem. Thanks!
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) test
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4427:
-------------------------------
Comment: was deleted
(was: @Martin: Since the ticket is assigned to you just wanted to mention I changed ExtensionResourceNameIterator (please check))
> test
> ----
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Test
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
> Attachments: wicket-4427.zip
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Sebastiaan van Erk (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215699#comment-13215699 ]
Sebastiaan van Erk edited comment on WICKET-4427 at 2/24/12 4:01 PM:
---------------------------------------------------------------------
Hi,
Thanks for looking at this issue, but I have several issues with the proposed fix.
1) It does not address the real problem: why is a file "x%20" resolved to "x" on the file system in the first place (if I request x%20 then I expect it to open x%20 and not x).
2) PackageResourceGuard is an implementation of an interface, namely of IPackageResourceGuard with one method boolean accept(final Class<?> scope, final String path). As it stands, the same problem can occur with other implementations, and in fact, it is strange that if I accept "x%20" for whatever reason with this *interface*, that it should suddenly return a resource with a different path.
When debugging to find the real reason this went wrong, I found it to be related to this code:
public ExtensionResourceNameIterator(String path, final String extension)
{
if ((extension == null) && (path.indexOf('.') != -1))
{
// Get the extension from the path provided
extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
path = Strings.beforeLastPathComponent(path, '.');
}
else if (extension != null)
{
// Extension can be a comma separated list
extensions = Strings.split(extension, ',');
for (int i = extensions.length - 1; i >= 0; i--)
{
extensions[i] = extensions[i].trim();
if (!extensions[i].startsWith("."))
{
extensions[i] = "." + extensions[i];
}
}
}
else
{
extensions = new String[1];
extensions[0] = ".";
}
this.path = path;
index = 0;
}
Basically, this enumerator gets passed the real extension of the file, *and then processes it*, *AFTER THE RESOURCE GUARD CHECK HAS ALREADY BEEN DONE*.
I don't know at which point it is necessary to initialize this iterator from a single string containing a comma separated list of extensions, but to split this string and process it here is doing it at the wrong level because it cannot distinguish between 1 extension with a comma in it and multiple extensions and also not (due to the trim) between extensions with leading or trailing white space. The splitting should probably be being done at the point where the extension is clearly a value from configuration property.
All in all, the previous fix did not actually fix the problem, it just removed a symptom of the problem for one implementation of IPackageResourceGuard.
To prove this, note that the above extension processing does two things: split on , and trim. This means that another way to subvert the check is to use the extension ".properties,xml", i.e., using the url:
http://localhost:8080/wicket-4427/resources/test/test.properties,xml
was (Author: sebster):
Hi,
Thanks for looking at this issue, but I have several issues with the proposed fix.
1) It does not address the real problem: why is a file "x%20" resolved to "x" on the file system in the first place (if I request x%20 then I expect it to open x%20 and not x).
2) PackageResourceGuard is an implementation of an interface, namely of IPackageResourceGuard with one method boolean accept(final Class<?> scope, final String path). As it stands, the same problem can occur with other implementations, and in fact, it is strange that if I accept "x%20" for whatever reason with this *interface*, that it should suddenly return a resource with a different path.
When debugging to find the real reason this went wrong, I found it to be related to this code:
public ExtensionResourceNameIterator(String path, final String extension)
{
if ((extension == null) && (path.indexOf('.') != -1))
{
// Get the extension from the path provided
extensions = new String[] { "." + Strings.lastPathComponent(path, '.') };
path = Strings.beforeLastPathComponent(path, '.');
}
else if (extension != null)
{
// Extension can be a comma separated list
extensions = Strings.split(extension, ',');
for (int i = extensions.length - 1; i >= 0; i--)
{
extensions[i] = extensions[i].trim();
if (!extensions[i].startsWith("."))
{
extensions[i] = "." + extensions[i];
}
}
}
else
{
extensions = new String[1];
extensions[0] = ".";
}
this.path = path;
index = 0;
}
Basically, this enumerator get the real extension of the file, *and then processes it*, *AFTER THE RESOURCE GUARD CHECK HAS ALREADY BEEN DONE*.
I don't know at which point it is necessary to initialize this iterator from a single string containing a comma separated list of extensions, but to split this string and process it here is doing it at the wrong level because it cannot distinguish between 1 extension with a comma in it and multiple extensions, but it also trims (processing which just shouldn't be done here). The splitting should probably be being done at the point where the extension is clearly value of configuration property.
All in all, the previous fix did not actually fix the problem, it just removed a symptom of the problem for one implemementation of IPackageResourceGuard.
To prove this, note that the above extension processing does two things: split on , and trim. This means that another way to subvert the check is to use the extension ".properties,xml", i.e., using the url:
http://localhost:8080/wicket-4427/resources/test/test.properties,xml
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4427:
---------------------------------------
Attachment: wicket-4427.zip
Quick start illustrating the problem. Contains 2 test resources, one .txt file and a .properties file. The latter should not be accessible, however, it can be accessed by the following URL (using firefox 10.0.2 for ubuntu):
http://localhost:8080/wicket-4427/resources/test/test.properties%20
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Peter Ertl (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl reopened WICKET-4427:
--------------------------------
Assignee: Peter Ertl (was: Martin Grigorov)
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Peter Ertl (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216033#comment-13216033 ]
Peter Ertl edited comment on WICKET-4427 at 2/24/12 10:51 PM:
--------------------------------------------------------------
I agree this is a bug that needs a quick fix, as a workaround in the meantime I recommend anybody readying this ticket to use
org.apache.wicket.markup.html.SecurePackageResourceGuard
which does by default 'deny all' and is more secure anyway.
was (Author: pete):
I agree this is a bug that needs a quick fix, as a workaround in the meantime I recommend anybody readying this ticket to use
org.apache.wicket.markup.html.SecurePackageResourceGuard
which does by default 'deny all' and is a lot more secure anyway.
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) test
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4427:
---------------------------------------
Comment: was deleted
(was: Quick start illustrating the problem. Contains 2 test resources, one .txt file and a .properties file. The latter should not be accessible, however, it can be accessed by the following URL (using firefox 10.0.2 for ubuntu):
http://localhost:8080/wicket-4427/resources/test/test.properties%20
(I ran the quickstart using mvn clean jetty:run))
> test
> ----
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Test
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Peter Ertl (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl resolved WICKET-4427.
--------------------------------
Resolution: Invalid
Fix Version/s: (was: 1.5.5)
(was: 1.4.20)
(was: 6.0.0)
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Peter Ertl (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216509#comment-13216509 ]
Peter Ertl commented on WICKET-4427:
------------------------------------
@Martin: Since the ticket is assigned to you just wanted to mention I changed ExtensionResourceNameIterator (please check)
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Assignee: Martin Grigorov
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) test
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4427:
-------------------------------
Comment: was deleted
(was: I agree this is a bug that needs a quick fix, as a workaround in the meantime I recommend anybody readying this ticket to use
org.apache.wicket.markup.html.SecurePackageResourceGuard
which does by default 'deny all' and is more secure anyway.)
> test
> ----
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Test
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
> Attachments: wicket-4427.zip
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WICKET-4427) possible to bypass
PackageResourceGuard
Posted by "Sebastiaan van Erk (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215534#comment-13215534 ]
Sebastiaan van Erk edited comment on WICKET-4427 at 2/24/12 9:54 AM:
---------------------------------------------------------------------
Quick start illustrating the problem. Contains 2 test resources, one .txt file and a .properties file. The latter should not be accessible, however, it can be accessed by the following URL (using firefox 10.0.2 for ubuntu):
http://localhost:8080/wicket-4427/resources/test/test.properties%20
(I ran the quickstart using mvn clean jetty:run)
was (Author: sebster):
Quick start illustrating the problem. Contains 2 test resources, one .txt file and a .properties file. The latter should not be accessible, however, it can be accessed by the following URL (using firefox 10.0.2 for ubuntu):
http://localhost:8080/wicket-4427/resources/test/test.properties%20
> possible to bypass PackageResourceGuard
> ---------------------------------------
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Attachments: wicket-4427.zip
>
>
> It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4427) test
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4427?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4427:
-------------------------------
Component/s: (was: wicket)
Description: (was: It is possible to bypass the filters in the PackageResourceGuard by adding %10, %13, or %20 to the end of the url, i.e., http://my.site.com/myapp/mounted_package/myfile.properties%20
)
Priority: Trivial (was: Major)
Affects Version/s: (was: 1.4.18)
Issue Type: Test (was: Bug)
Summary: test (was: possible to bypass PackageResourceGuard)
> test
> ----
>
> Key: WICKET-4427
> URL: https://issues.apache.org/jira/browse/WICKET-4427
> Project: Wicket
> Issue Type: Test
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
> Attachments: wicket-4427.zip
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira