[
https://issues.apache.org/jira/browse/WICKET-5944?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Grant closed WICKET-5944.
------------------------------
Thank you for fixing this so quickly.
> CSRF prevention does not work with https URLs on the default port
> -----------------------------------------------------------------
>
> Key: WICKET-5944
> URL: https://issues.apache.org/jira/browse/WICKET-5944
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 6.20.0
> Reporter: Alex Grant
> Assignee: Martijn Dashorst
> Fix For: 7.0.0, 6.21.0
>
>
> If your URL is https on the default port (so no :443 on the end), then the
> CSRF prevention (WICKET-5919) rejects requests with the Origin header
> supplied.
> In CsrfPreventionRequestCycleListener, line 519 looks like this
> if (port != -1 && "http".equals(scheme) && port != 80 ||
> "https".equals(scheme) && port != 443)
> So the port != -1 test binds only to the "http" half of the or statement, and
> the if block executes, which appends ":-1" to the end of the "https" URL. I
> think it should instead say
> if (port != -1 && ("http".equals(scheme) && port != 80 ||
> "https".equals(scheme) && port != 443))
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
