Details
-
Bug
-
Status: Resolved
-
Critical
-
Resolution: Invalid
-
1.4.7
-
None
-
None
Description
Applications that use StringResourceModel to render localized strings using a model and value arguments are subject to a security issue which allows users to perform property model expressions on the given model.
For instance, the following statement:
new StringResourceModel( "key", userModel, new Object[]
{ input.getModelObject() })
Would expand property model expressions from input's object against userModel's object, effectively allowing users to access unintended data from userModel's object.
Consider the localization data:
key=User ${name} said:
The user input:
input.getModelObject() = "My password is ${pass}."
The StringResourceModel's object would yield a string like:
User lhunath said: My password is secret
Find attached test case which illustrates this problem using WicketTester.