Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
1.4.15, 1.4.16, 1.4.17
-
Wicket 1.4.x/Spring/Jetty 6
Description
We were testing a signin mechanism and entered a huge amount of chars in "username" and "password" fields contained by a form. (more than 200.000 chars) This results in an IllegalStateException thrown by Jetty, which is ok from my point of view. The problem is that the full exception stack trace (!!!) is shown to the client => the resulting execution leaves the scope of Wicket framework, which can't handle the exception correctly. Error Page and Stack Trace for Jetty 6 and Wicket 1.4.15:
HTTP ERROR 500
Problem accessing /login/wicket:interface/:0:loginPanel:signInForm::IFormSubmitListener::. Reason:
Form too large3791446>200000
Caused by:
java.lang.IllegalStateException: Form too large3791446>200000
at org.mortbay.jetty.Request.extractParameters(Request.java:1561)
at org.mortbay.jetty.Request.getParameter(Request.java:859)
at org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:83)
at org.apache.wicket.protocol.http.WebApplication.newWebRequest(WebApplication.java:675)
at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:424)
at org.apache.wicket.protocol.http.WicketServlet.doPost(WicketServlet.java:160)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
at
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
at org.mortbay.jetty.Server.handle(Server.java:326)
at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:713)
at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)
We suggest an easy fix: catch the IllegalStateException in line 83 of org.apache.wicket.protocol.http.servlet.ServletWebRequest and just log an error (please check whether it really has to be an error to be logged). In effect no ajaxHeader will be read and an Wicket's Internal Error page will be shown:
Possible solution in Wicket 1.4.15, 1.4.17 (didn't check 1.4.16), ServletWebRequest, line 83:
try
catch (IllegalStateException exception)
{ log.error("IllegalStateException occured reading \"wicket:ajax\"-Parameter: " + exception.getMessage()); }Please consider checking Wicket 1.5. I just checked ServletWebRequest, which has been refactored apparently. Line 214 (Enumeration<String> e = httpServletRequest.getHeaders(name) may be critical, as well as methods protected Map<String, List<StringValue>> generatePostParameters() and getQueryParameters(). Couldn't check that by now. Please let me know, if you want me to analyze that error more intensely and suggest a fix in Wicket 1.5. We consider that bug as "Major" or "Critical", as the whole Servlet Container StackTrace is potentially displayed.