You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2011/11/08 15:35:06 UTC
svn commit: r1199263 -
/wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java
Author: mgrigorov
Date: Tue Nov 8 14:35:05 2011
New Revision: 1199263
URL: http://svn.apache.org/viewvc?rev=1199263&view=rev
Log:
WICKET-4196 Accessing Wicket through AJP makes Wicket vulnerable to HTTP Response Splitting Attack
Modified:
wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java
Modified: wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java
URL: http://svn.apache.org/viewvc/wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java?rev=1199263&r1=1199262&r2=1199263&view=diff
==============================================================================
--- wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java (original)
+++ wicket/branches/wicket-1.4.x/wicket/src/main/java/org/apache/wicket/markup/html/pages/BrowserInfoPage.java Tue Nov 8 14:35:05 2011
@@ -206,6 +206,34 @@ public class BrowserInfoPage extends Web
}
};
}
+ continueTo = sanitize(continueTo);
this.continueTo = continueTo;
}
+
+ /**
+ * Cleans the <code>cto</code> request parameter from malicious user input.
+ *
+ * @param continueTo
+ * the url to redirect to after extracting the browser info
+ * @return the url to redirect to after the cleaning.
+ */
+ private String sanitize(String continueTo)
+ {
+ // continueTo is already checked against 'null'
+
+ // cut everything after \n or \r. WICKET-4196
+ int idx = continueTo.indexOf('\n');
+ if (idx > -1)
+ {
+ continueTo = continueTo.substring(0, idx);
+ }
+
+ idx = continueTo.indexOf('\r');
+ if (idx > -1)
+ {
+ continueTo = continueTo.substring(0, idx);
+ }
+
+ return continueTo;
+ }
}