[ https://issues.apache.org/jira/browse/WICKET-2801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12850175#action_12850175 ]
Maarten Billemont commented on WICKET-2801: ------------------------------------------- I beg to differ, currently MessageFormat is being abused for something it is not intended for under the veil of uninformed "intent" of StringResourceModel. Contrary to what you say, arguments to a format string are not application code; they should not contain any sort of syntax whatsoever. Review MessageFormat's documentation for a description of its purpose which is clearly targeted at generating a string based off of a format string and data arguments that is to be displayed to the end-user. I am very well aware that StringResourceModel *currently* considers its arguments as "application code" in the sense that it considers their contents to be of the same context as that of the localization value. My argument is against the sanity behind making that decision. I am yet to learn of any argument *for* the way things are now, and I have given you plenty against - which I have not seen you dispute. That alone should be enough to revert this bug to an Open state unless you can provide solid arguments as to why my impression of format arguments is so very wrong. As for Igor's take on things; you seem to be missing the context of it all. Contrary to what you say, my request is very much to NOT escape user data in any form while it resides within the application. Escaping of data is not something that should be done by a developer as he introduces his data into a certain context - rather that context should be fit to take the data the developer offers him without allowing it to be evaluated as application code *by doing any necessary escaping itself, in ITS context and syntax*. Similarly, "escaping single quotes in case you decide to build an SQL statement" is a fine example of introducing a form of "escaping" in application data without even having it in the context of what the escaping is intended for. That's quite ridiculous, as you make it out to be, and just as much beside the issue. No, StringResourceModel should NOT allow or feature code injection, because the very purpose of format strings is to cleanly and safely introduce arguments into application code, rather than inject them into it. > User input can inject property model expressions using StringResourceModel > -------------------------------------------------------------------------- > > Key: WICKET-2801 > URL: https://issues.apache.org/jira/browse/WICKET-2801 > Project: Wicket > Issue Type: Bug > Components: wicket > Affects Versions: 1.4.7 > Reporter: Maarten Billemont > Assignee: Igor Vaynberg > Priority: Critical > Attachments: WICKET-2801-1.tbz2 > > > Applications that use StringResourceModel to render localized strings using a > model and value arguments are subject to a security issue which allows users > to perform property model expressions on the given model. > For instance, the following statement: > new StringResourceModel( "key", userModel, new Object[] { > input.getModelObject() } ) > Would expand property model expressions from input's object against > userModel's object, effectively allowing users to access unintended data from > userModel's object. > Consider the localization data: > key=User ${name} said: {0} > The user input: > input.getModelObject() = "My password is ${pass}." > The StringResourceModel's object would yield a string like: > User lhunath said: My password is secret > Find attached test case which illustrates this problem using WicketTester. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.