Well, nothing in RFC 2396 talks about using backslashes to escape anything (or at least I can't find it). What it does say is that unescaped backslash characters in URLs are invalid, since they must be encoded as %5c. (see the comment in WicketURLEncoder's constructor).
So, from my point of view there are two problems: backslash-escaping single and double quotes (that's what JavascriptUtils#escapeQuotes does) isn't mandated by the RFC and creates problems when creating URLs hat others may need to parse, because they're not likely to follow this unusual escaping method. Secondly, even when doing this escaping is deemed OK, leaving an unescaped backslash in the URL clearly violates the RFC. I'll play with the demo app later and see what I find. Gereon I haven't had the time to look into cvs-2011-2712 closely, but Am 01.12.11 18:59 schrieb "Igor Vaynberg" unter <[email protected]>: >Gereon, can you take a look... > >-igor > >On Thu, Dec 1, 2011 at 9:58 AM, Martin Grigorov <[email protected]> >wrote: >> dig the demo application and try >> maybe I didn't test it properly... >> >> On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <[email protected]> >>wrote: >>> the question is, should we be escaping them with the backslash or with >>> the url-coding? >>> >>> -igor >>> >>> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <[email protected]> >>>wrote: >>>> The commit message doesn't say it, but yes this is the fix for this >>>> security problem. >>>> There is a way to attack the application with the URL encoded version. >>>> >>>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg >>>><[email protected]> wrote: >>>>> this was done in r1150391 by martin for >>>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html >>>>> >>>>> -igor >>>>> >>>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens >>>>> <[email protected]> wrote: >>>>>> Hi, >>>>>> >>>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter >>>>>>encoding. >>>>>> If a parameter value contains a single quote, these quotes are now >>>>>> preceeded by a backslash (this happens in >>>>>>RequestCycle#encodeUrlFor). >>>>>> >>>>>> Why is this done? I've never heard of backslash-escaping in >>>>>>relation to >>>>>> URLs. >>>>>> >>>>>> As far as I can tell, this also breaks compatibility with >>>>>>apps/sites that >>>>>> now need additional code to parse parameters like >>>>>> example.com?param=a'b which is now represented as param=a\'b. Even >>>>>>if the >>>>>> backslash were necessary in a URL, it should be URL-escaped as %5c. >>>>>> >>>>>> Am I missing something? >>>>>> >>>>>> Regards >>>>>> Gereon >>>>>> >>>>>> >>>>>> >>>>>>--------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: [email protected] >>>>>> For additional commands, e-mail: [email protected] >>>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Martin Grigorov >>>> jWeekend >>>> Training, Consulting, Development >>>> http://jWeekend.com >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: [email protected] >>> For additional commands, e-mail: [email protected] >>> >>> >> >> >> >> -- >> Martin Grigorov >> jWeekend >> Training, Consulting, Development >> http://jWeekend.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [email protected] >For additional commands, e-mail: [email protected] > > -- Gereon Steffens Teamleiter Entwicklung Tel: +49 221 677882-42 Fax: +49 221 677882-43 E-Mail: [email protected] Internet: http://www.finanzen100.de/ iPhone, iPad, Android: http://www.finanzen100.de/apps/ Finanzen100 GmbH, Lichtstraße 38, 50825 Köln Geschäftsführer: Oliver Eckert Sitz: Köln, Amtsgericht Köln HRB 64201 USt-IdNr.: DE 265105310 Folgen Sie uns auf Twitter: http://twitter.com/Finanzen100 und http://twitter.com/Finanzen100News Besuchen Sie uns auf Facebook: http://www.facebook.com/Finanzen100 ---------------- Ein Unternehmen der TOMORROW FOCUS AG http://www.tomorrow-focus.de --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
