I'm just asking. It will take months until my applictaion gets in
production. But thre might by other apps affected.
I'll be probably deploying with 1.1.
-Matej
Martijn Dashorst wrote:
Depending on how urgent it is, and how easy it is to integrate.
I'm +1 for backporting, as it is a (serious) security issue. However,
the process of creating a new release will have its backlash on the
development of 1.1. Putting out any release usually takes out a good
part of a weekend day.
Martijn
Matej Knopp wrote:
I suppose that this will be fixed in 1.1. Will it also be backported
to 1.0.[2] ?
Matej
Martijn Dashorst wrote:
Yeah,
That's what I meant, but didn't write ;-)
It should not fail silently though. In development this has to be
noticed. In production this should be readily visible.
Martijn
Eelco Hillenius wrote:
Though given the malicious nature of the attempt, you don't want to
give too much information. That's why just setting a HTTP status
(like expired or not authorized could also be a good idea (combined
with logging ofcourse).
Eelco
Martijn Dashorst wrote:
Hmm,
I think this should result in an error, either:
- someone is maliciously tampering with your application
- there is a bug in your application or the wicket framework
In both cases this should result in an error page, and not fail
silently. I suppose this could be made configurable in the same way
the error page is configurable.
Martijn
Matej Knopp wrote:
The easiest would be to do nothing. Do as normal, just ignore the
action. So if put in a url that would trigger action on invisible
component, I would just get redirected to
appName?component=X&interface=IRedirectLitener,...etc
Another one would be displaying an error page (like expired page).
But I think the first one is a better (and simpler) solution, but
that's only my opiniton (and it's more a feeling than an opinion :))
-Matej
Eelco Hillenius wrote:
Hmmm. Sure looks like an unwanted backdoor. I agree we should fix
this. What do you think would be the proper action to take when
Wicket regconizes that an invisible component is called?
Eelco
Matej Knopp wrote:
Hi. I'm using wicket 1.0 and I just realized, that it is
possible to invoke action (ILinkListener, etc) on an invisible
component.
Is this intentional?
Because in my application it causes problems. For example I've
page with my bean properties and several buttons to
edit/manipulate it. I show/hide these buttons according to
current user rights. But even if they are not visible, they can
be invoked through url very simply.
Can anything be done to prevent this?
I tried to alter this behavieor but didn't succeeded as every
method in WebRequest dealing with invoking is either private or
final. (I know it's a design decision and I accept it, no
rambling here :))
-Matej
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration
Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast.
http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration
Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration
Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Wicket-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/wicket-user
