[jira] [Updated] (WICKET-4407) Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS

Wed, 15 Feb 2012 01:18:27 -0800 

     [ 
https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jurriaan Pruys updated WICKET-4407:
-----------------------------------

    Attachment: CryptoMapper.java

Based on the original CryptoMapper, but has an additional
preventExceedingIisUrlMaxSegmentLength option.

The mapper will maximize the segment size when  
'preventExceedingIisUrlMaxSegmentLength' is enabled: 

Encrypted url <= max: same behavior as original CryptoMapper ==> encrypted url 
+ hashed segments
 
Encrypted url > max: encrypted url is put into multiple parts ==> segment count 
indicator with segment count + segments with encrypted url parts + hashed 
segments
                
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad 
> request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-4407
>                 URL: https://issues.apache.org/jira/browse/WICKET-4407
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.4
>         Environment: IIS
>            Reporter: Jurriaan Pruys
>            Priority: Minor
>         Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the 
> encrypted url segment can be very long (> 260 characters). The default 
> maximum url segment size for IIS is 260 characters (see 
> http://support.microsoft.com/kb/820129). The warning note for changing this 
> default is "Changing this registry key is considered extremely dangerous. 
> This key causes Http.sys to use more memory and may increase vulnerability to 
> malicious attacks." 
> I've created my own CryptoMapper that puts the encrypted request in a request 
> parameter. This works fine, but it would be nice to have this as a 
> (configurable | default) behavior of CryptoMapper.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to