Wicket
  1. Wicket
  2. WICKET-4398

Any empty url-parameter will make wicket 1.5 crash

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 1.5.3
    • Fix Version/s: 1.5.5, 6.0.0-beta1
    • Component/s: wicket
    • Labels:
      None

      Description

      Adding an empty parameter to the query string will make wicket crash.

      http://www.example.com/?oneParam&

      How to reproduce in test:

      PageParameters params = new PageParameters();
      params.set("","");
      params.getAllNamed();

      Cause:
      Wicket accepts empty parameters, but when encoding the url for a rendered page it will call params.getAllNamed().

      params.getAllNamed() instantiates new NamedPairs, which calls Args.notEmpty() on the key during instantiation, causing the application to crash.

      The NamedPair constructor should probably allow empty string as a key, and call Args.notNull() on the key in stead.

      1. WICKET-4398.patch
        0.6 kB
        Christoph Leiter
      2. WICKET-4398-2.patch
        0.7 kB
        Christoph Leiter

        Activity

        Hide
        Michael Riedel added a comment -

        Thanks for the fix. This issue has been bugging us, since we have 3rd-party websites linking to our Wicket pages, and they insist to send along a trailing & in the query string.

        Show
        Michael Riedel added a comment - Thanks for the fix. This issue has been bugging us, since we have 3rd-party websites linking to our Wicket pages, and they insist to send along a trailing & in the query string.
        Hide
        Martin Grigorov added a comment -

        Improved 1.5.x! Git merge failed me.
        Thanks, Christoph!

        Show
        Martin Grigorov added a comment - Improved 1.5.x! Git merge failed me. Thanks, Christoph!
        Hide
        Christoph Leiter added a comment -

        The committed fix doesn't solve the problem completely. A request to /?a&+ or /?a&%20 triggers the same exception.

        Show
        Christoph Leiter added a comment - The committed fix doesn't solve the problem completely. A request to /?a&+ or /?a&%20 triggers the same exception.
        Hide
        Christoph Leiter added a comment -

        There's a unit test which checks that empty URL parameters are parsed. After talking with Martin I add a trivial new patch that simply allows empty parameters.

        Show
        Christoph Leiter added a comment - There's a unit test which checks that empty URL parameters are parsed. After talking with Martin I add a trivial new patch that simply allows empty parameters.
        Hide
        Christoph Leiter added a comment -

        Problem seems to be in Url class which allows empty parameters. Adding patch.

        Show
        Christoph Leiter added a comment - Problem seems to be in Url class which allows empty parameters. Adding patch.
        Hide
        Martin Grigorov added a comment -

        Can you please either create a unit test/quickstart app or paste the exception ?
        Empty parameter name should not be allowed. Empty value is OK.

        Show
        Martin Grigorov added a comment - Can you please either create a unit test/quickstart app or paste the exception ? Empty parameter name should not be allowed. Empty value is OK.

          People

          • Assignee:
            Martin Grigorov
            Reporter:
            Johannes Odland
          • Votes:
            1 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development