I've created WICKET-4275 for this, including a quickstart. Gereon
Am 01.12.11 18:59 schrieb "Igor Vaynberg" unter <[email protected]>: >Gereon, can you take a look... > >-igor > >On Thu, Dec 1, 2011 at 9:58 AM, Martin Grigorov <[email protected]> >wrote: >> dig the demo application and try >> maybe I didn't test it properly... >> >> On Thu, Dec 1, 2011 at 6:55 PM, Igor Vaynberg <[email protected]> >>wrote: >>> the question is, should we be escaping them with the backslash or with >>> the url-coding? >>> >>> -igor >>> >>> On Thu, Dec 1, 2011 at 9:48 AM, Martin Grigorov <[email protected]> >>>wrote: >>>> The commit message doesn't say it, but yes this is the fix for this >>>> security problem. >>>> There is a way to attack the application with the URL encoded version. >>>> >>>> On Thu, Dec 1, 2011 at 6:05 PM, Igor Vaynberg >>>><[email protected]> wrote: >>>>> this was done in r1150391 by martin for >>>>> http://wicket.apache.org/2011/08/23/cve-2011-2712.html >>>>> >>>>> -igor >>>>> >>>>> On Thu, Dec 1, 2011 at 8:45 AM, Gereon Steffens >>>>> <[email protected]> wrote: >>>>>> Hi, >>>>>> >>>>>> I've noticed a change in Wicket 1.4.19 regarding URL parameter >>>>>>encoding. >>>>>> If a parameter value contains a single quote, these quotes are now >>>>>> preceeded by a backslash (this happens in >>>>>>RequestCycle#encodeUrlFor). >>>>>> >>>>>> Why is this done? I've never heard of backslash-escaping in >>>>>>relation to >>>>>> URLs. >>>>>> >>>>>> As far as I can tell, this also breaks compatibility with >>>>>>apps/sites that >>>>>> now need additional code to parse parameters like >>>>>> example.com?param=a'b which is now represented as param=a\'b. Even >>>>>>if the >>>>>> backslash were necessary in a URL, it should be URL-escaped as %5c. >>>>>> >>>>>> Am I missing something? >>>>>> >>>>>> Regards >>>>>> Gereon >>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
