Major security hole affecting required text fields
--------------------------------------------------
Key: WICKET-2397
URL: https://issues.apache.org/jira/browse/WICKET-2397
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4-RC7, 1.4-RC6, 1.4-RC5, 1.4-RC4, 1.4-RC3, 1.4-RC2,
1.4-RC1, 1.4-M3, 1.4-M2, 1.4-M1, 1.3.7
Reporter: Jörn Zaefferer
Priority: Blocker
AbstractTextComponent overrides isInputNullable to return false, instead of the
default true, defined in FormComponent. FormComponent#checkRequired uses
isInputNullable to check if an input was disabled. That makes it possible to
submit a form with a required field without that field, completely skipping the
validation (forms onSubmit is called). We consider this a wide open security
hole, as basically any form with a required text field, relying on the
required-validation, is affected.
The hole can easily be exploited by not removing certain fields from a form
submit, eg. by removing them from the DOM via Firebug (then doing a regular
submit), or forging the complete request with an appropriate tool.
>From what is commented on isInputNullable, it seems like the check should
>actually be replaced with an actual check of enabled/disabled
>methods/properties. A required input is only optional, when it is actually not
>enabled (on the serverside), not just because its key/value pair is missing in
>the request.
I''ll attach a test application.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
