[jira] [Commented] (WICKET-4407) Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad request' when using IIS

Wed, 22 Feb 2012 05:16:18 -0800 

    [ 
https://issues.apache.org/jira/browse/WICKET-4407?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13213594#comment-13213594
 ] 

Martin Grigorov commented on WICKET-4407:
-----------------------------------------

Where exactly in the article did you see that changing 'UrlSegmentMaxLength' is 
extremely dangerous ?
Windows is to play games on it. Don't use it for business :-)

You can use your version of CryptoMapper if it serves you well.
The current implementation of Wicket's CryptoMapper produces these urls to be 
able to handle relative urls in .css files (which are not manipulated by 
Wicket). Touching this logic will break a lot more applications already in 
production.

I also don't like that Windows sys admins don't want to upgrade IE 
installations to something more modern and I have to write ugly hacks just to 
support strange problems in IE6/7/8 but ... C'est la vie :-/

Feel free to raise your problem at [email protected]. Maybe someone else 
will see a better solution.
                
> Url segments in CryptoMapper may be larger than 260 chars => HTTP 400 - 'Bad 
> request' when using IIS
> ----------------------------------------------------------------------------------------------------
>
>                 Key: WICKET-4407
>                 URL: https://issues.apache.org/jira/browse/WICKET-4407
>             Project: Wicket
>          Issue Type: Improvement
>          Components: wicket
>    Affects Versions: 1.5.4
>         Environment: IIS
>            Reporter: Jurriaan Pruys
>            Priority: Minor
>         Attachments: CryptoMapper.java
>
>
> CryptoMapper encrypts the whole Url into a single segment. As a result the 
> encrypted url segment can be very long (> 260 characters). The default 
> maximum url segment size for IIS is 260 characters (see 
> http://support.microsoft.com/kb/820129). The warning note for changing this 
> default is "Changing this registry key is considered extremely dangerous. 
> This key causes Http.sys to use more memory and may increase vulnerability to 
> malicious attacks." 
> I've created my own CryptoMapper that puts the encrypted request in a request 
> parameter. This works fine, but it would be nice to have this as a 
> (configurable | default) behavior of CryptoMapper.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to