On 4/20/07, Jean-Baptiste Quenot <[EMAIL PROTECTED]> wrote:
Which one of these 4 issues is a security issue?
That one is already fixed (WICKET-476). Basically it is Wicket not cleaning up a thread local at the end of a request under very rare circumstances, messing up wicket's administration and *can* result in a page being displayed coming from the history of another session (but doesn't necessarily have to). Whether you will be experiencing this behavior depends on a number of factors: * you have to trigger the non-cleaning up * thread pool size * type of requests * activity of users * session timeouts * pagemap size This is not remote exploitable: it isn't triggered by a particular external stimulus, and you can't rely on the behavior (the thread pool of the application server determines this). The thread local clearing logic has been altered so that it *always* is cleared at the end of the request. In our system we were able to track the problem (though not find a particular request or usecase to be the source of the troubles). Since we applied this patch, we haven't seen the cross session pollination happen any more (we're at 1.3-something). Martijn -- Learn Wicket at ApacheCon Europe: http://apachecon.com Join the wicket community at irc.freenode.net: ##wicket Wicket 1.2.5 will keep your server alive. Download Wicket now! http://wicketframework.org
