dig the demo application and try maybe I didn't test it properly... On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <[email protected]> wrote: > the question is, should we be escaping them with the backslash or with > the url-coding? > > -igor > > On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <[email protected]> wrote: >> The commit message doesn't say it, but yes this is the fix for this >> security problem. >> There is a way to attack the application with the URL encoded version. >> >> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg <[email protected]> >> wrote: >>> this was done in r1150391 by martin for >>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html >>> >>> -igor >>> >>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens >>> <[email protected]> wrote: >>>> Hi, >>>> >>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding. >>>> If a parameter value contains a single quote, these quotes are now >>>> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor). >>>> >>>> Why is this done? I've never heard of backslash-escaping in relation to >>>> URLs. >>>> >>>> As far as I can tell, this also breaks compatibility with apps/sites that >>>> now need additional code to parse parameters like >>>> example.com?param=a'b which is now represented as param=a\'b. Even if the >>>> backslash were necessary in a URL, it should be URL-escaped as %5c. >>>> >>>> Am I missing something? >>>> >>>> Regards >>>> Gereon >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> >> >> >> -- >> Martin Grigorov >> jWeekend >> Training, Consulting, Development >> http://jWeekend.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
-- Martin Grigorov jWeekend Training, Consulting, Development http://jWeekend.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
