[WICKET-2801] User input can inject property model expressions using StringResourceModel - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Invalid
Affects Version/s: 1.4.7
Fix Version/s: None
Component/s: wicket
Labels:
None

Description

Applications that use StringResourceModel to render localized strings using a model and value arguments are subject to a security issue which allows users to perform property model expressions on the given model.

For instance, the following statement:

new StringResourceModel( "key", userModel, new Object[]

{ input.getModelObject() }

)

Would expand property model expressions from input's object against userModel's object, effectively allowing users to access unintended data from userModel's object.

Consider the localization data:
key=User ${name} said:

{0}

The user input:
input.getModelObject() = "My password is ${pass}."

The StringResourceModel's object would yield a string like:
User lhunath said: My password is secret

Find attached test case which illustrates this problem using WicketTester.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

WICKET-2801-1.tbz2
25/Mar/10 20:24
2 kB
Maarten Billemont

Activity

People

Assignee:: Igor Vaynberg

Reporter:: Maarten Billemont

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 25/Mar/10 20:21

Updated:: 27/Mar/10 04:19

Resolved:: 26/Mar/10 04:02