GET requests can be triggered by someone opening a page with e.g. an
image URL pointing to that. In a small application, this URL can be
guessable.
But even if it weren't a security issue - I still would like to know why
there is this inconsistency between onFormSubmitted and
onFormSubmitted(submitter).

On Fri, Feb 2, 2018, at 15:39, Ernesto Reinaldo Barreiro wrote:
> Ok. But does that posses a real security issue? i.e not logged used
> triggering a click on "that" button that does not exists for them?
> 
> On Fri, Feb 2, 2018 at 3:36 PM, Carl-Eric Menzel
> <cmen...@wicketbuch.de>> wrote:
> 
>> You're not wrong, but I'd still like to be able to block GET. And the>> 
>> other question is **why** this check isn't done for forms with submit>> 
>> components (I haven't tried it, but I suspect using a regular button>> 
>> rather than an ajax button would run into the same issue).
>> 
>> On Fri, Feb 2, 2018, at 14:45, Ernesto Reinaldo Barreiro wrote:
>>> Hi,
>>> 
>>> Maybe I'm wrong but for AJAX only logged in user could get that
>>> REQUEST to> work because it is page relative.  Or am I completely
>>> wrong?>>> 
>>> On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel
>>> <cmen...@wicketbuch.de>> wrote:
>>> 
>>>> Hi,
>>>> 
>>>> I've just encountered an interesting oddity. For a normal form
>>>> submission,>> there is Form#onMethodMismatch where I can
>>>> decide what>> should
>>>> happen if>> somebody calls the form's URL with a GET request
>>>> rather than>>>> the usual>> POST. At least in 6.x and 7.x this is called 
>>>> from
>>>> onFormSubmitted() - but>> not from onFormSubmitted(submitter).
>>>> 
>>>> The result is that for forms that have an ajax button and thus
>>>> a valid>> submitter, I can't stop somebody building a GET
>>>> request and>>>> firing that>> against the button's URL. Theoretically I 
>>>> could
>>>> override>>>> AjaxFormSubmitBehavior's onEvent method, but that doesn't work
>>>> for ajax>> buttons, which build their own AjaxFormSubmitBehavior.
>>>> 
>>>> On one of my current projects the customer is quite security-
>>>> minded and>> would like the application to block these GET
>>>> requests. My>>>> question is: Is>> it intentional that only the regular
>> onFormSubmitted() method
>>>> checks this?>> If yes, I'd like to know the reasoning please.
>>>> If not,>> I'm going to
>>>> write a>> patch to fix this.
>>>> 
>>>> Or maybe I'm missing something and am going the wrong way
>>>> entirely. In>> that case, let me know please.
>>>> 
>>>> Carl-Eric
>>>> 
>>> 
>>> 
>>> 
>>> --
>>> Regards - Ernesto Reinaldo Barreiro
>> 
>> 
> 
> 
> --
> Regards - Ernesto Reinaldo Barreiro

Reply via email to