[jira] Created: (WICKET-3498) Entering huge strings in TextFields causes IllegalStateExceptions not caught by the Framework

Thu, 03 Mar 2011 05:16:00 -0800 

Entering huge strings in TextFields causes IllegalStateExceptions not caught by 
the Framework
---------------------------------------------------------------------------------------------

                 Key: WICKET-3498
                 URL: https://issues.apache.org/jira/browse/WICKET-3498
             Project: Wicket
          Issue Type: Bug
          Components: wicket-core
    Affects Versions: 1.4.16, 1.4.15, 1.4.17
         Environment: Wicket 1.4.x/Spring/Jetty 6
            Reporter: Georg Hartner


We were testing a signin mechanism and entered a huge amount of chars in 
"username" and "password" fields contained by a form. (more than 200.000 chars) 
This results in an IllegalStateException thrown by Jetty, which is ok from my 
point of view. The problem is that the full exception stack trace (!!!) is 
shown to the client => the resulting execution leaves the scope of Wicket 
framework, which can't handle the exception correctly. Error Page and Stack 
Trace for Jetty 6 and Wicket 1.4.15:

HTTP ERROR 500

Problem accessing 
/login/wicket:interface/:0:loginPanel:signInForm::IFormSubmitListener::. Reason:

    Form too large3791446>200000

Caused by:

java.lang.IllegalStateException: Form too large3791446>200000
        at org.mortbay.jetty.Request.extractParameters(Request.java:1561)
        at org.mortbay.jetty.Request.getParameter(Request.java:859)
        at 
org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:83)
        at 
org.apache.wicket.protocol.http.WebApplication.newWebRequest(WebApplication.java:675)
        at 
org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:424)
        at 
org.apache.wicket.protocol.http.WicketServlet.doPost(WicketServlet.java:160)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at 
org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
        at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
        at {filter}
        at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at 
org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
        at 
org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
        at 
org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
        at 
org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
        at 
org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at 
org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at 
org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
        at 
org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at 
org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
        at 
org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
        at 
org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
        at 
org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:713)
        at 
org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

We suggest an easy fix: catch the IllegalStateException in line 83 of 
org.apache.wicket.protocol.http.servlet.ServletWebRequest and just log an error 
(please check whether it really has to be an error to be logged). In effect no 
ajaxHeader will be read and an Wicket's Internal Error page will be shown:

Possible solution in Wicket 1.4.15, 1.4.17 (didn't check 1.4.16), 
ServletWebRequest, line 83:
                try
                {
                        if (Strings.isEmpty(ajaxHeader))
                                ajaxHeader = 
httpServletRequest.getParameter("wicket:ajax");
                }
                catch (IllegalStateException exception)
                {
                        log.error("IllegalStateException occured reading 
\"wicket:ajax\"-Parameter: " +
                                exception.getMessage());
                }

Please consider checking Wicket 1.5. I just checked ServletWebRequest, which 
has been refactored apparently. Line 214 (Enumeration<String> e = 
httpServletRequest.getHeaders(name);) may be critical, as well as methods 
protected Map<String, List<StringValue>> generatePostParameters() and 
getQueryParameters(). Couldn't check that by now. Please let me know, if you 
want me to analyze that error more intensely and suggest a fix in Wicket 1.5. 
We consider that bug as "Major" or "Critical", as the whole Servlet Container 
StackTrace is potentially displayed.

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to