[WICKET-2397] text fields do not honor isrequired() - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.7, 1.4-M1, 1.4-M2, 1.4-M3, 1.4-RC1, 1.4-RC2, 1.4-RC3, 1.4-RC4, 1.4-RC5, 1.4-RC6, 1.4-RC7
Fix Version/s: 1.4.1
Component/s: wicket
Labels:
None

Description

AbstractTextComponent overrides isInputNullable to return false, instead of the default true, defined in FormComponent. FormComponent#checkRequired uses isInputNullable to check if an input was disabled. That makes it possible to submit a form with a required field without that field, completely skipping the validation (forms onSubmit is called). We consider this a wide open security hole, as basically any form with a required text field, relying on the required-validation, is affected.

The hole can easily be exploited by not removing certain fields from a form submit, eg. by removing them from the DOM via Firebug (then doing a regular submit), or forging the complete request with an appropriate tool.

From what is commented on isInputNullable, it seems like the check should actually be replaced with an actual check of enabled/disabled methods/properties. A required input is only optional, when it is actually not enabled (on the serverside), not just because its key/value pair is missing in the request.

I''ll attach a test application.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

WICKET-2397-isnullable-enabled.patch
05/Aug/09 09:23
0.7 kB
Jörn Zaefferer
nullable-test.zip
24/Jul/09 14:25
5 kB
Jörn Zaefferer

Activity

People

Assignee:: Igor Vaynberg

Reporter:: Jörn Zaefferer

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24/Jul/09 14:21

Updated:: 01/Mar/10 08:10

Resolved:: 10/Aug/09 14:48