Gereon, can you take a look... -igor
On Thu, Dec 1, 2011 at 9:58 AM, Martin Grigorov <[email protected]> wrote: > dig the demo application and try > maybe I didn't test it properly... > > On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <[email protected]> wrote: >> the question is, should we be escaping them with the backslash or with >> the url-coding? >> >> -igor >> >> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <[email protected]> wrote: >>> The commit message doesn't say it, but yes this is the fix for this >>> security problem. >>> There is a way to attack the application with the URL encoded version. >>> >>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg <[email protected]> >>> wrote: >>>> this was done in r1150391 by martin for >>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html >>>> >>>> -igor >>>> >>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens >>>> <[email protected]> wrote: >>>>> Hi, >>>>> >>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter encoding. >>>>> If a parameter value contains a single quote, these quotes are now >>>>> preceeded by a backslash (this happens in RequestCycle#encodeUrlFor). >>>>> >>>>> Why is this done? I've never heard of backslash-escaping in relation to >>>>> URLs. >>>>> >>>>> As far as I can tell, this also breaks compatibility with apps/sites that >>>>> now need additional code to parse parameters like >>>>> example.com?param=a'b which is now represented as param=a\'b. Even if the >>>>> backslash were necessary in a URL, it should be URL-escaped as %5c. >>>>> >>>>> Am I missing something? >>>>> >>>>> Regards >>>>> Gereon >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>>> >>> >>> >>> >>> -- >>> Martin Grigorov >>> jWeekend >>> Training, Consulting, Development >>> http://jWeekend.com >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> > > > > -- > Martin Grigorov > jWeekend > Training, Consulting, Development > http://jWeekend.com > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
