[jira] Commented: (WICKET-2397) text fields do not honor isrequired()

Fri, 26 Feb 2010 06:47:48 -0800 

    [ 
https://issues.apache.org/jira/browse/WICKET-2397?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12838890#action_12838890
 ] 

Joseph Pachod commented on WICKET-2397:
---------------------------------------

Hi

After stumbling on the same bug and finally discovering it as well as this 
issue, I didn't see the fix suggested by Johan and coded by Jörn in Wicket 
1.4.3 and in the subversion trunk.

Is it normal ?

thanks in advance



> text fields do not honor isrequired()
> -------------------------------------
>
>                 Key: WICKET-2397
>                 URL: https://issues.apache.org/jira/browse/WICKET-2397
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.3.7, 1.4-M1, 1.4-M2, 1.4-M3, 1.4-RC1, 1.4-RC2, 
> 1.4-RC3, 1.4-RC4, 1.4-RC5, 1.4-RC6, 1.4-RC7
>            Reporter: Jörn Zaefferer
>            Assignee: Igor Vaynberg
>             Fix For: 1.4.1
>
>         Attachments: nullable-test.zip, WICKET-2397-isnullable-enabled.patch
>
>
> AbstractTextComponent overrides isInputNullable to return false, instead of 
> the default true, defined in FormComponent. FormComponent#checkRequired uses 
> isInputNullable to check if an input was disabled. That makes it possible to 
> submit a form with a required field without that field, completely skipping 
> the validation (forms onSubmit is called). We consider this a wide open 
> security hole, as basically any form with a required text field, relying on 
> the required-validation, is affected.
> The hole can easily be exploited by not removing certain fields from a form 
> submit, eg. by removing them from the DOM via Firebug (then doing a regular 
> submit), or forging the complete request with an appropriate tool.
> From what is commented on isInputNullable, it seems like the check should 
> actually be replaced with an actual check of enabled/disabled 
> methods/properties. A required input is only optional, when it is actually 
> not enabled (on the serverside), not just because its key/value pair is 
> missing in the request.
> I''ll attach a test application.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to