On Wed, May 4, 2016 at 3:27 PM, Sven Meier <[email protected]> wrote: > Hi, > > well, it seems I wasn't completely out of my mind when I pushed for > WICKET-5094: > - I've checked 1.4 and the logic of #enforceMounts was exactly like it is > now > - the javadoc for #setEnforceMounts() matches the current behavior: > > "Sets whether mounts should be enforced. If true, requests for mounted > targets have to done through the mounted paths. If, for instance, a > bookmarkable page is mounted to a path, a request to that same page via the > bookmarkablePage parameter will be denied." > > For those trying to prevent any requests to non-mounted pages: Couldn't > you just remove the BookmarkableMapper? > > ICompoundRequestMapper mappers = getRootRequestMapperAsCompound(); > mappers.forEach((mapper) -> {if (mapper instanceof > BookmarkableMapper) mappers.remove(mapper); }); > > Personally I wouldn't mind to change/remove/rename this setting for Wicket > 8.x, so it is more useful. >
+1 to change the behavior to what it was after WICKET-3849 and before WICKET-5094 > > Have fun > Sven > > > > On 04.05.2016 08:23, Martin Grigorov wrote: > >> Hi, >> >> I also think the current behavior is not correct. See my question at >> http://markmail.org/message/xmo74m3tbc5v4nwp. >> I read the name of the method "enforceMounts" as "do not allow urls to >> page >> which are not explicitly mounted". I believe also this is the reason this >> method is in SecuritySettings, and not in PageSettings. >> And its javadoc also says the same. That's why I've -reintroduced this >> behavior with https://issues.apache.org/jira/browse/WICKET-3849. >> >> According to Sven the behavior in Wicket 1.4.x was different and he >> changed >> it with https://issues.apache.org/jira/browse/WICKET-5094. >> IMO Wicket 1.4.x must had a bug but there is no one to confirm :-/ >> >> Martin Grigorov >> Wicket Training and Consulting >> https://twitter.com/mtgrigorov >> >> On Wed, May 4, 2016 at 7:57 AM, Илья Нарыжный <[email protected]> wrote: >> >> Martin, >>> >>> Checked this issue: https://issues.apache.org/jira/browse/WICKET-5094 >>> Absolutely disagree with discussed behavior. It's meaningless to >>> prevent accessing /wicket/bookmarkable/<CLASS> only if there is mount >>> point for that page. >>> Please help to find consensus. In mine case it's real security hole. >>> >>> Thanks, >>> >>> Ilia >>> >>> 2016-05-03 22:50 GMT-07:00 Илья Нарыжный <[email protected]>: >>> >>>> Martin, >>>> >>>> Just checked: it doesn't work as expected. It seems that this code >>>> doesn't work as it was assumed: >>>> >>>> BookmarkableMapper.java >>>> if (application.getSecuritySettings().getEnforceMounts()) >>>> { >>>> // we make an exception if the homepage itself was mounted, see >>>> >>> WICKET-1898 >>> >>>> if (!pageClass.equals(application.getHomePage())) >>>> { >>>> // WICKET-5094 only enforce mount if page is mounted >>>> if (isPageMounted(pageClass, >>>> application.getRootRequestMapperAsCompound())) // HERE!!! >>>> { >>>> return null; >>>> } >>>> } >>>> } >>>> >>>> Imho condition at line marked by HERE!!! should be opposite. >>>> Please check. >>>> >>>> In my case getSecuritySettings().setEnforceMounts(true); doesn't have >>>> any effect. >>>> >>>> Thanks, >>>> >>>> Ilia >>>> >>>> 2016-05-03 10:59 GMT-07:00 Илья Нарыжный <[email protected]>: >>>> >>>>> Thank you Martin! I did know that there should be easier way to do >>>>> that, but could not be able to find it:) >>>>> >>>>> Regards, >>>>> >>>>> Ilia >>>>> >>>>> 2016-05-03 0:06 GMT-07:00 Martin Grigorov <[email protected]>: >>>>> >>>>>> Hi, >>>>>> >>>>>> I always thought >>>>>> that org.apache.wicket.settings.SecuritySettings#getEnforceMounts() is >>>>>> >>>>> for >>> >>>> this. Also its javadoc seems to say that. >>>>>> But there were some changes to its behavior after which I am no more >>>>>> >>>>> sure >>> >>>> what exactly it does :-/ >>>>>> >>>>>> Martin Grigorov >>>>>> Wicket Training and Consulting >>>>>> https://twitter.com/mtgrigorov >>>>>> >>>>>> On Tue, May 3, 2016 at 8:53 AM, Илья Нарыжный <[email protected]> wrote: >>>>>> >>>>>> Yea - that's possible. Even instrumentation is possible, but probably >>>>>>> this problem somehow solved already in wicket. I would briefly >>>>>>> summarize the problem like: >>>>>>> >>>>>>> Wicket allow to directly address bookmarkable pages from 3rd party >>>>>>> libraries without good way to manage accessibility. >>>>>>> Potentially it means that with having control over some 3rd partly >>>>>>> lib >>>>>>> it's possible to include "backdoor page" >>>>>>> Thanks, >>>>>>> >>>>>>> Ilia >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: [email protected] >>>>>>> For additional commands, e-mail: [email protected] >>>>>>> >>>>>>> >>>>>>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >>> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
