You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Jurriaan Pruys (Created) (JIRA)" <ji...@apache.org> on 2012/02/13 16:01:01 UTC
[jira] [Created] (WICKET-4407) Url segments in CryptoMapper may be
larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
----------------------------------------------------------------------------------------------------
Key: WICKET-4407
URL: https://issues.apache.org/jira/browse/WICKET-4407
Project: Wicket
Issue Type: Improvement
Components: wicket
Affects Versions: 1.5.4
Environment: IIS
Reporter: Jurriaan Pruys
Priority: Minor
CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4407) Url segments in CryptoMapper may be
larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jurriaan Pruys updated WICKET-4407:
-----------------------------------
Attachment: (was: CryptoMapper.java)
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4407) Url segments in CryptoMapper may be
larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Martin Grigorov (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Martin Grigorov resolved WICKET-4407.
-------------------------------------
Resolution: Won't Fix
I don't like the suggested fix. The same problem may happen with any other mapper too if you add too long segment in the url. For example using BookmarkableMapper with a class which name is more than 260 chars...
It is much better to set the registry entry to bigger value or 0 as described at http://support.microsoft.com/kb/820129 and don't care about such problems.
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
> Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4407) Url segments in CryptoMapper may
be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213589#comment-13213589 ]
Jurriaan Pruys commented on WICKET-4407:
----------------------------------------
I also don't like to care about the maximum segment size, but changing the registry key is considered extremely dangerous (according to the note on the microsoft kb article)
Could you please reconsider?
- Changing this registry key is considered extremely dangerous (according to microsoft)
- There are environments (eg. in large organizations) were these settings are out of control of the application developer (and are not changed for 1 application).
- With the Bookmarkable mapper the developer can control the maximum segment length. This cannot be done with the CryptoMapper because the whole url (all segments with all request parameters) is encrypted into one big segment.
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
> Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4407) Url segments in CryptoMapper may
be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213608#comment-13213608 ]
Jurriaan Pruys commented on WICKET-4407:
----------------------------------------
The KB table with registry keys has a column 'WARNING code', below the table there's section, explaining the code. (I cannot agree on your opinion about Windows. It is also not for playing games :-)
I think my Mapper implementation handles the relative urls the same as the original implementation. I'll post my thoughts on the dev list to discuss.
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
> Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4407) Url segments in CryptoMapper may
be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Martin Grigorov (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213594#comment-13213594 ]
Martin Grigorov commented on WICKET-4407:
-----------------------------------------
Where exactly in the article did you see that changing 'UrlSegmentMaxLength' is extremely dangerous ?
Windows is to play games on it. Don't use it for business :-)
You can use your version of CryptoMapper if it serves you well.
The current implementation of Wicket's CryptoMapper produces these urls to be able to handle relative urls in .css files (which are not manipulated by Wicket). Touching this logic will break a lot more applications already in production.
I also don't like that Windows sys admins don't want to upgrade IE installations to something more modern and I have to write ugly hacks just to support strange problems in IE6/7/8 but ... C'est la vie :-/
Feel free to raise your problem at dev@wicket.apache.org. Maybe someone else will see a better solution.
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
> Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4407) Url segments in CryptoMapper may be
larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jurriaan Pruys updated WICKET-4407:
-----------------------------------
Attachment: CryptoMapper.java
Based on the original CryptoMapper, but has an additional
preventExceedingIisUrlMaxSegmentLength option.
The mapper will maximize the segment size when 'preventExceedingIisUrlMaxSegmentLength' is enabled:
Encrypted url <= max: same behavior as original CryptoMapper ==> encrypted url + hashed segments
Encrypted url > max: encrypted url is put into multiple parts ==> segment count indicator with segment count + segments with encrypted url parts + hashed segments
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
> Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4407) Url segments in CryptoMapper may be
larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jurriaan Pruys updated WICKET-4407:
-----------------------------------
Attachment: CryptoMapper.java
Example implementation that uses a boolean 'useParameter' argument.
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
> Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4407) Url segments in CryptoMapper may be
larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jurriaan Pruys updated WICKET-4407:
-----------------------------------
Remaining Estimate: (was: 4h)
Original Estimate: (was: 4h)
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4407) Url segments in CryptoMapper may
be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
Posted by "Jurriaan Pruys (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13207694#comment-13207694 ]
Jurriaan Pruys commented on WICKET-4407:
----------------------------------------
Found an issue with my implementation (doesn't work with images references in a CSS). Start to work on an example which creates smaller segments.
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
> Key: WICKET-4407
> URL: https://issues.apache.org/jira/browse/WICKET-4407
> Project: Wicket
> Issue Type: Improvement
> Components: wicket
> Affects Versions: 1.5.4
> Environment: IIS
> Reporter: Jurriaan Pruys
> Priority: Minor
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the encrypted url segment can be very long (> 260 characters). The default maximum url segment size for IIS is 260 characters (see http://support.microsoft.com/kb/820129). The warning note for changing this default is "Changing this registry key is considered extremely dangerous. This key causes Http.sys to use more memory and may increase vulnerability to malicious attacks."
> I've created my own CryptoMapper that puts the encrypted request in a request parameter. This works fine, but it would be nice to have this as a (configurable | default) behavior of CryptoMapper.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira