[jira] [Commented] (WICKET-4407) Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS

Wed, 22 Feb 2012 05:00:16 -0800 

    [ 
https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213589#comment-13213589
 ] 

Jurriaan Pruys commented on WICKET-4407:
----------------------------------------

I also don't like to care about the maximum segment size, but changing the 
registry key is considered extremely dangerous (according to the note on the 
microsoft kb article) 

Could you please reconsider?

- Changing this registry key is considered extremely dangerous (according to 
microsoft)
- There are environments (eg. in large organizations) were these settings are 
out of control of the application developer (and are not changed for 1 
application).
- With the Bookmarkable mapper the developer can control the maximum segment 
length. This cannot be done with the CryptoMapper because the whole url (all 
segments with all request parameters) is encrypted into one big segment.
                
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad 
> request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-4407
>                 URL: https://issues.apache.org/jira/browse/WICKET-4407
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.4
>         Environment: IIS
>            Reporter: Jurriaan Pruys
>            Priority: Minor
>         Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the 
> encrypted url segment can be very long (> 260 characters). The default 
> maximum url segment size for IIS is 260 characters (see 
> http://support.microsoft.com/kb/820129). The warning note for changing this 
> default is "Changing this registry key is considered extremely dangerous. 
> This key causes Http.sys to use more memory and may increase vulnerability to 
> malicious attacks." 
> I've created my own CryptoMapper that puts the encrypted request in a request 
> parameter. This works fine, but it would be nice to have this as a 
> (configurable | default) behavior of CryptoMapper.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to