[jira] Commented: (WICKET-2397) Major security hole affecting required text fields

Fri, 24 Jul 2009 08:15:38 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12735080#action_12735080
 ] 

Johan Compagner commented on WICKET-2397:
-----------------------------------------

we could do this

if (input == null && !isInputNullable() && !isEnabled())

i do hope that then everybody do use enabled on the serverside and not 
something pure in markup..

> Major security hole affecting required text fields
> --------------------------------------------------
>
>                 Key: WICKET-2397
>                 URL: https://issues.apache.org/jira/browse/WICKET-2397
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.3.7, 1.4-M1, 1.4-M2, 1.4-M3, 1.4-RC1, 1.4-RC2, 
> 1.4-RC3, 1.4-RC4, 1.4-RC5, 1.4-RC6, 1.4-RC7
>            Reporter: Jörn Zaefferer
>            Priority: Blocker
>         Attachments: nullable-test.zip
>
>
> AbstractTextComponent overrides isInputNullable to return false, instead of 
> the default true, defined in FormComponent. FormComponent#checkRequired uses 
> isInputNullable to check if an input was disabled. That makes it possible to 
> submit a form with a required field without that field, completely skipping 
> the validation (forms onSubmit is called). We consider this a wide open 
> security hole, as basically any form with a required text field, relying on 
> the required-validation, is affected.
> The hole can easily be exploited by not removing certain fields from a form 
> submit, eg. by removing them from the DOM via Firebug (then doing a regular 
> submit), or forging the complete request with an appropriate tool.
> From what is commented on isInputNullable, it seems like the check should 
> actually be replaced with an actual check of enabled/disabled 
> methods/properties. A required input is only optional, when it is actually 
> not enabled (on the serverside), not just because its key/value pair is 
> missing in the request.
> I''ll attach a test application.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to