Improved PageParametersEncoder to skip query string parameters without name because this may lead to logs flooding by an attacker. See https://issues.apache.org/jira/browse/WICKET-5770
It would be good to improve Wicket to not produce such urls too. First we need to identify where they are created. Is this an Ajax request ? Martin Grigorov Wicket Training and Consulting https://twitter.com/mtgrigorov On Wed, Nov 19, 2014 at 10:53 PM, Martin Grigorov <[email protected]> wrote: > Looking at > https://issues.apache.org/jira/issues/?jql=project%20%3D%20WICKET%20AND%20fixVersion%20%3D%207.0.0-M5 > only > https://issues.apache.org/jira/browse/WICKET-5759 looks somehow related. > > Are CallbackParameters used in your code ? > > Martin Grigorov > Wicket Training and Consulting > https://twitter.com/mtgrigorov > > On Wed, Nov 19, 2014 at 7:28 PM, Sebastien <[email protected]> wrote: > >> Right Martin, there is something weird (&=&): >> >> MyPage?1-1.IBehaviorListener.0-menu&hash=menuitem-1685872454&=&_=1416417363334 >> >> Using -M4, i've got this url: >> >> MyPage?0-1.IBehaviorListener.0-menu&hash=menuitem-1754318150&_=1416417641051 >> >> Just for the explanation, 'hash' is used by the menu widget. #onClick is >> still triggered in addition to the direct link (a#href) but I don't think >> that's the cause of the issue... >> >> Thanks, >> Sebastien. >> >> >> On Wed, Nov 19, 2014 at 4:32 PM, Martin Grigorov <[email protected]> >> wrote: >> >> > Hi Sebastien, >> > >> > Please check what request parameters are being sent in the browser dev >> > tools. >> > Are there any? >> > On Nov 19, 2014 5:05 PM, "Sebastien" <[email protected]> wrote: >> > >> > > fyi, this is not related to wicket-native-websocket, I've got the same >> > > stacktrace with the default WicketFilter >> > > >> > > at >> > > >> > > >> > >> org.apache.wicket.request.cycle.RequestCycle.resolveRequestHandler(RequestCycle.java:189) >> > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > at >> > > >> > > >> > >> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:219) >> > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > at >> > > >> > > >> > >> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) >> > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > *at >> > > >> > > >> > >> org.apache.wicket.protocol.http.WicketFilter.processRequestCycle(WicketFilter.java:261) >> > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT]* >> > > at >> > > >> > > >> > >> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) >> > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > at >> > > >> > > >> > >> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) >> > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > >> > > >> > > >> > > On Wed, Nov 19, 2014 at 3:42 PM, Sebastien <[email protected]> wrote: >> > > >> > > > Hi devs, >> > > > >> > > > Seems to be a problem with latest snapshot. For an unknown reason >> I've >> > > got >> > > > the stacktrace below on each page of my application I am trying to >> > reach >> > > > (after clicking a link, which url comes from RequestCycle#urlFor.). >> > > > >> > > > This is *not* repro with 7.0.0-M4 >> > > > If someone has an idea of what has changed and what can cause the >> > issue, >> > > > this will be nice. I am not sure to have time to make a quickstart >> this >> > > > week... >> > > > >> > > > Best regards & thanks in advance, >> > > > Sebastien. >> > > > >> > > > >> > > > ERROR [org.apache.wicket.DefaultExceptionMapper] Unexpected error >> > > > occurred: java.lang.IllegalArgumentException: Argument 'name' may >> not >> > be >> > > > null or empty. >> > > > at org.apache.wicket.util.lang.Args.notEmpty(Args.java:64) >> > > > [wicket-util-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.mapper.parameter.PageParameters.add(PageParameters.java:290) >> > > > [wicket-request-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.mapper.parameter.PageParameters.add(PageParameters.java:284) >> > > > [wicket-request-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.mapper.parameter.PageParametersEncoder.decodePageParameters(PageParametersEncoder.java:50) >> > > > [wicket-request-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.mapper.AbstractMapper.extractPageParameters(AbstractMapper.java:155) >> > > > [wicket-request-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.core.request.mapper.AbstractBookmarkableMapper.extractPageParameters(AbstractBookmarkableMapper.java:615) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.core.request.mapper.PackageMapper.parseRequest(PackageMapper.java:161) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.core.request.mapper.AbstractBookmarkableMapper.mapRequest(AbstractBookmarkableMapper.java:346) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.mapper.CompoundRequestMapper.mapRequest(CompoundRequestMapper.java:150) >> > > > [wicket-request-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.cycle.RequestCycle.resolveRequestHandler(RequestCycle.java:189) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.cycle.RequestCycle.processRequest(RequestCycle.java:219) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.request.cycle.RequestCycle.processRequestAndDetach(RequestCycle.java:293) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.protocol.ws.AbstractUpgradeFilter.processRequestCycle(AbstractUpgradeFilter.java:59) >> > > > [wicket-native-websocket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.protocol.http.WicketFilter.processRequest(WicketFilter.java:203) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> > > >> > >> org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:284) >> > > > [wicket-core-7.0.0-SNAPSHOT.jar:7.0.0-SNAPSHOT] >> > > > at >> > > > >> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) >> > > > at >> > > > >> > > >> > >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) >> > > > at >> > > > >> > > >> > >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146) >> > > > [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> io.undertow.server.Connectors.executeRootHandler(Connectors.java:177) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727) >> > > > [undertow-core-1.0.15.Final.jar:1.0.15.Final] >> > > > at >> > > > >> > > >> > >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> > > > [rt.jar:1.7.0_65] >> > > > at >> > > > >> > > >> > >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> > > > [rt.jar:1.7.0_65] >> > > > at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65] >> > > > >> > > >> > >> > >
