[
https://issues.apache.org/jira/browse/WICKET-2801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12850175#action_12850175
]
Maarten Billemont commented on WICKET-2801:
-------------------------------------------
I beg to differ, currently MessageFormat is being abused for something it is
not intended for under the veil of uninformed "intent" of StringResourceModel.
Contrary to what you say, arguments to a format string are not application
code; they should not contain any sort of syntax whatsoever. Review
MessageFormat's documentation for a description of its purpose which is clearly
targeted at generating a string based off of a format string and data arguments
that is to be displayed to the end-user.
I am very well aware that StringResourceModel *currently* considers its
arguments as "application code" in the sense that it considers their contents
to be of the same context as that of the localization value. My argument is
against the sanity behind making that decision. I am yet to learn of any
argument *for* the way things are now, and I have given you plenty against -
which I have not seen you dispute. That alone should be enough to revert this
bug to an Open state unless you can provide solid arguments as to why my
impression of format arguments is so very wrong.
As for Igor's take on things; you seem to be missing the context of it all.
Contrary to what you say, my request is very much to NOT escape user data in
any form while it resides within the application. Escaping of data is not
something that should be done by a developer as he introduces his data into a
certain context - rather that context should be fit to take the data the
developer offers him without allowing it to be evaluated as application code
*by doing any necessary escaping itself, in ITS context and syntax*.
Similarly, "escaping single quotes in case you decide to build an SQL
statement" is a fine example of introducing a form of "escaping" in application
data without even having it in the context of what the escaping is intended
for. That's quite ridiculous, as you make it out to be, and just as much
beside the issue.
No, StringResourceModel should NOT allow or feature code injection, because the
very purpose of format strings is to cleanly and safely introduce arguments
into application code, rather than inject them into it.
> User input can inject property model expressions using StringResourceModel
> --------------------------------------------------------------------------
>
> Key: WICKET-2801
> URL: https://issues.apache.org/jira/browse/WICKET-2801
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.7
> Reporter: Maarten Billemont
> Assignee: Igor Vaynberg
> Priority: Critical
> Attachments: WICKET-2801-1.tbz2
>
>
> Applications that use StringResourceModel to render localized strings using a
> model and value arguments are subject to a security issue which allows users
> to perform property model expressions on the given model.
> For instance, the following statement:
> new StringResourceModel( "key", userModel, new Object[] {
> input.getModelObject() } )
> Would expand property model expressions from input's object against
> userModel's object, effectively allowing users to access unintended data from
> userModel's object.
> Consider the localization data:
> key=User ${name} said: {0}
> The user input:
> input.getModelObject() = "My password is ${pass}."
> The StringResourceModel's object would yield a string like:
> User lhunath said: My password is secret
> Find attached test case which illustrates this problem using WicketTester.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
