[jira] Commented: (WICKET-3106) Security: Possible Redirection to foreign Page by using BrowserInfoPage's PageParameter

Hudson (JIRA) Thu, 14 Oct 2010 12:27:57 -0700

    [ 
https://issues.apache.org/jira/browse/WICKET-3106?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12921091#action_12921091
 ]


Hudson commented on WICKET-3106:
--------------------------------

Integrated in Apache Wicket 1.5.x #402 (See 
[https://hudson.apache.org/hudson/job/Apache%20Wicket%201.5.x/402/])
    Issue: WICKET-3106


> Security: Possible Redirection to foreign Page by using BrowserInfoPage's 
> PageParameter 
> ----------------------------------------------------------------------------------------
>
>                 Key: WICKET-3106
>                 URL: https://issues.apache.org/jira/browse/WICKET-3106
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket
>    Affects Versions: 1.4.12
>            Reporter: Thomas Aulinger
>            Assignee: Igor Vaynberg
>            Priority: Critical
>             Fix For: 1.4.13, 1.5-M3
>
>   Original Estimate: 2h
>  Remaining Estimate: 2h
>
> By link manipulation as a BookmarkableLink it is possible to redirect a User 
> to  foreign pages (probably without users notice).
> Example:
> http://wicketstuff.org/wicket14/compref/?wicket:bookmarkablePage=:org.apache.wicket.markup.html.pages.BrowserInfoPage&cto=http://www.google.de
> Reason:
> "Fallback"- Constructor in 
> org.apache.wicket.markup.html.pages.BrowserInfoPage  accepts every "cto" 
> -PageParameter unevaluated regarding protocol prefex.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (WICKET-3106) Security: Possible Redirection to foreign Page by using BrowserInfoPage's PageParameter

Reply via email to