Ok. I see.

On Fri, Feb 2, 2018 at 3:42 PM, Carl-Eric Menzel <cmen...@wicketbuch.de>
wrote:

> GET requests can be triggered by someone opening a page with e.g. an
> image URL pointing to that. In a small application, this URL can be
> guessable.
> But even if it weren't a security issue - I still would like to know why
> there is this inconsistency between onFormSubmitted and
> onFormSubmitted(submitter).
>
> On Fri, Feb 2, 2018, at 15:39, Ernesto Reinaldo Barreiro wrote:
> > Ok. But does that posses a real security issue? i.e not logged used
> > triggering a click on "that" button that does not exists for them?
> >
> > On Fri, Feb 2, 2018 at 3:36 PM, Carl-Eric Menzel
> > <cmen...@wicketbuch.de>> wrote:
> >
> >> You're not wrong, but I'd still like to be able to block GET. And the>>
> other question is **why** this check isn't done for forms with submit>>
> components (I haven't tried it, but I suspect using a regular button>>
> rather than an ajax button would run into the same issue).
> >>
> >> On Fri, Feb 2, 2018, at 14:45, Ernesto Reinaldo Barreiro wrote:
> >>> Hi,
> >>>
> >>> Maybe I'm wrong but for AJAX only logged in user could get that
> >>> REQUEST to> work because it is page relative.  Or am I completely
> >>> wrong?>>>
> >>> On Thu, Feb 1, 2018 at 10:45 PM, Carl-Eric Menzel
> >>> <cmen...@wicketbuch.de>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> I've just encountered an interesting oddity. For a normal form
> >>>> submission,>> there is Form#onMethodMismatch where I can
> >>>> decide what>> should
> >>>> happen if>> somebody calls the form's URL with a GET request
> >>>> rather than>>>> the usual>> POST. At least in 6.x and 7.x this is
> called from
> >>>> onFormSubmitted() - but>> not from onFormSubmitted(submitter).
> >>>>
> >>>> The result is that for forms that have an ajax button and thus
> >>>> a valid>> submitter, I can't stop somebody building a GET
> >>>> request and>>>> firing that>> against the button's URL. Theoretically
> I could
> >>>> override>>>> AjaxFormSubmitBehavior's onEvent method, but that
> doesn't work
> >>>> for ajax>> buttons, which build their own AjaxFormSubmitBehavior.
> >>>>
> >>>> On one of my current projects the customer is quite security-
> >>>> minded and>> would like the application to block these GET
> >>>> requests. My>>>> question is: Is>> it intentional that only the
> regular
> >> onFormSubmitted() method
> >>>> checks this?>> If yes, I'd like to know the reasoning please.
> >>>> If not,>> I'm going to
> >>>> write a>> patch to fix this.
> >>>>
> >>>> Or maybe I'm missing something and am going the wrong way
> >>>> entirely. In>> that case, let me know please.
> >>>>
> >>>> Carl-Eric
> >>>>
> >>>
> >>>
> >>>
> >>> --
> >>> Regards - Ernesto Reinaldo Barreiro
> >>
> >>
> >
> >
> > --
> > Regards - Ernesto Reinaldo Barreiro
>
>


-- 
Regards - Ernesto Reinaldo Barreiro

Reply via email to