Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6144

Wicket-ajax parameter / header may be used to bypass proper exception handling

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 7.2.0, 8.0.0-M1, 6.22.0
    • Fix Version/s: 7.3.0, 8.0.0-M1, 6.23.0
    • Component/s: wicket
    • Labels:
      None

      Description

      WebRequest.isAjax() throws an exception if any value that cannot be properly decoded into a Boolean is used either for the "wicket-ajax" request parameter or the "Wicket-Ajax" request header.

      Example: http://localhost:8080/wicketapp/?wicket-ajax=sdfgs results ins

      org.apache.wicket.util.string.StringValueConversionException: Boolean value "sdfgs" not recognized
      	at org.apache.wicket.util.string.Strings.isTrue(Strings.java:623)
      	at org.apache.wicket.request.http.WebRequest.isAjax(WebRequest.java:117)
      	at org.apache.wicket.markup.html.WebPage.dirty(WebPage.java:327)
      	at org.apache.wicket.Page.dirty(Page.java:248)
      	at org.apache.wicket.Page.componentStateChanging(Page.java:937)
      	at org.apache.wicket.Component.addStateChange(Component.java:3512)
      	at org.apache.wicket.Behaviors.add(Behaviors.java:55)
      	at org.apache.wicket.Component.add(Component.java:4506)
      

      WebRequest.isAjax() is called for dirty-flag handling when a component is added to a page. So any useful wicket page triggers a call to this method which is also true for most error handling page that get initialized during exception handling e.g. in RequestCycleListener.onException().

      So, using a very simple attack URL may bypass the intended wicket exception handling code.

      A possible fix in WebRequest:

      public boolean isAjax()
      {
      	return Strings.isTrue(getHeader(HEADER_AJAX)) || Strings.isTrue(getRequestParameters().getParameterValue(PARAM_AJAX).toString());
      }
      

      becomes

      public boolean isAjax()
      {
        try {
          return Strings.isTrue(getHeader(HEADER_AJAX)) || Strings.isTrue(getRequestParameters().getParameterValue(PARAM_AJAX).toString());
        } catch (Exception e) {
          // add some logging here!
          return false;
        }
      }
      
      

        Attachments

          Activity

            People

            • Assignee:
              svenmeier Sven Meier
              Reporter:
              coldiges Christian Oldiges
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: