Wicket
  1. Wicket
  2. WICKET-4275

URL parameters containing a single quote are incorrectly escaped

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.4.19
    • Fix Version/s: 1.4.20
    • Component/s: wicket

      Description

      URL parameters containg a single quote are incorrectly escaped as e.g. "Joe\'s+Garage". RFC 2396 doesn't prescribe this escaping, the resulting URL contains an unescaped backslash character (thus making it invalid), and Wicket doesn't undo this escaping when such parameters are parsed.

        Activity

        Hide
        Gereon Steffens added a comment -

        quickstart to illustrate the escaping problem

        Show
        Gereon Steffens added a comment - quickstart to illustrate the escaping problem
        Hide
        Emond Papegaaij added a comment -

        This bug does not affect Wicket 1.5 and 6.0.

        Show
        Emond Papegaaij added a comment - This bug does not affect Wicket 1.5 and 6.0.
        Hide
        Martin Grigorov added a comment -

        I replaced the old fix for the CVE with one that removes \0000 and everything after it in the urls.
        \0000 is an indication that someone tries to do something nasty.

        Show
        Martin Grigorov added a comment - I replaced the old fix for the CVE with one that removes \0000 and everything after it in the urls. \0000 is an indication that someone tries to do something nasty.

          People

          • Assignee:
            Martin Grigorov
            Reporter:
            Gereon Steffens
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development