Issue Details (XML | Word | Printable)

Key: WICKET-40
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Jean-Baptiste Quenot
Reporter: Jan Bareš
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Wicket

Parameters of nice URL's pages with 'sensitive' characters

Created: 10/Nov/06 09:46 AM   Updated: 10/Jun/07 04:20 PM
Return to search
Component/s: wicket
Affects Version/s: 1.2.3
Fix Version/s: 1.3.0-beta2

Time Tracking:
Not Specified

File Attachments:
  File Name Date Attached Attached By Size
Text File Licensed for inclusion in ASF works 20070427-WICKET-40-WicketFilter-no-decoding.txt 2007-04-27 07:57 AM Jean-Baptiste Quenot 4 kB

Resolution Date: 06/May/07 08:01 PM


 Description  « Hide
Wicket uses HttpServletRequest.getPathInfo() to get the the URL. The returned string is already URL decoded, so when the request parameter pair contains %2F, it will be returned as '/', so the request pair will be broken (the same applies to other characters like '+' etc). This was cseen with Jetty 6 and Tomcat 5.5.
Wicket should use HttpServletRequest.getRequestURI() or getRequestURL() as this seems to return URL as it was passed to the server.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Repository Revision Date User Message
ASF #534932 Thu May 03 16:47:54 UTC 2007 jbq * Adding httpunit-based tests for WICKET-40, rename bugTestXXX() to testXXX() to test the failing methods
* Allow to set custom webapp location and context path for JettyTestCaseDecorator
Files Changed
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/main/testwebapp1
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/WithoutCPWithoutFPTest.java
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/WithCPWithoutFPTest.java
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/main/testwebapp2
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/Application.java
MODIFY /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/examples/JettyTestCaseDecorator.java
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/main/testwebapp1/WEB-INF/web.xml
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/HelloWorld.html
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/main/testwebapp2/WEB-INF/web.xml
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/main/testwebapp1/WEB-INF
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/WithCPWithFPTest.java
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/main/testwebapp2/WEB-INF
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/WithoutCPWithFPTest.java
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest
ADD /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/HelloWorld.java

Repository Revision Date User Message
ASF #535648 Sun May 06 19:56:43 UTC 2007 jbq MockHttpServletRequest#getRequestURI() is now more realistic, returns context path and servlet path concatenated

This is to avoid handling special cases in WICKET-40
Files Changed
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/link/IndexedParamUrlCodingTest.java
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/test/java/org/apache/wicket/util/parse/metapattern/parsers/IndexedParamTest.java
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/MockHttpServletRequest.java
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/test/java/org/apache/wicket/request/target/coding/UrlMountingTest.java
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/test/java/org/apache/wicket/stateless/StatelessComponentTest.java

Repository Revision Date User Message
ASF #535650 Sun May 06 20:00:38 UTC 2007 jbq WICKET-40 Parameters of nice URL's pages with 'sensitive' characters

Changes the way WicketFilter computes the relative URL by avoiding by any means
calling getPathInfo(), only using getRequestURI(), getContextPath() and
getServletPath(), as getPathInfo() decodes the URL thus breaking slash-delimited
parameters
Files Changed
MODIFY /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/WithoutCPWithoutFPTest.java
MODIFY /incubator/wicket/trunk/jdk-1.5/wicket-examples/src/test/java/org/apache/wicket/filtertest/WithoutCPWithFPTest.java
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java

Repository Revision Date User Message
ASF #535657 Sun May 06 21:13:43 UTC 2007 jbq WICKET-40 Parameters of nice URL's pages with 'sensitive' characters

Need to strip out jsessionid
Files Changed
MODIFY /incubator/wicket/trunk/jdk-1.4/wicket/src/main/java/org/apache/wicket/protocol/http/WicketFilter.java


Powered by a free Atlassian JIRA open source license for Apache Software Foundation. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators