[jira] Updated: (WICKET-2397) required text fields do not honor isrequired()

Fri, 24 Jul 2009 08:53:38 -0700 

     [ 
https://issues.apache.org/jira/browse/WICKET-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Igor Vaynberg updated WICKET-2397:
----------------------------------

    Priority: Major  (was: Blocker)
     Summary: required text fields do not honor isrequired()  (was: Major 
security hole affecting required text fields)

that was a joke right? a *MAJOR* *SECURITY* hole?

how is this a security hole? how can i hack your server using this? the worst 
this can do is throw an npe.



> required text fields do not honor isrequired()
> ----------------------------------------------
>
>                 Key: WICKET-2397
>                 URL: https://issues.apache.org/jira/browse/WICKET-2397
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.3.7, 1.4-M1, 1.4-M2, 1.4-M3, 1.4-RC1, 1.4-RC2, 
> 1.4-RC3, 1.4-RC4, 1.4-RC5, 1.4-RC6, 1.4-RC7
>            Reporter: Jörn Zaefferer
>         Attachments: nullable-test.zip
>
>
> AbstractTextComponent overrides isInputNullable to return false, instead of 
> the default true, defined in FormComponent. FormComponent#checkRequired uses 
> isInputNullable to check if an input was disabled. That makes it possible to 
> submit a form with a required field without that field, completely skipping 
> the validation (forms onSubmit is called). We consider this a wide open 
> security hole, as basically any form with a required text field, relying on 
> the required-validation, is affected.
> The hole can easily be exploited by not removing certain fields from a form 
> submit, eg. by removing them from the DOM via Firebug (then doing a regular 
> submit), or forging the complete request with an appropriate tool.
> From what is commented on isInputNullable, it seems like the check should 
> actually be replaced with an actual check of enabled/disabled 
> methods/properties. A required input is only optional, when it is actually 
> not enabled (on the serverside), not just because its key/value pair is 
> missing in the request.
> I''ll attach a test application.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to