Updated Branches: refs/heads/wicket-1.4.x 6fec67349 -> d841a285b
WICKET-4275 URL parameters containing a single quote are incorrectly escaped Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/d841a285 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/d841a285 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/d841a285 Branch: refs/heads/wicket-1.4.x Commit: d841a285b21bef9ba8f8bacead7bda862465df8d Parents: 6fec673 Author: martin-g <[email protected]> Authored: Wed Jan 11 18:08:15 2012 +0200 Committer: martin-g <[email protected]> Committed: Wed Jan 11 18:08:15 2012 +0200 ---------------------------------------------------------------------- .../main/java/org/apache/wicket/RequestCycle.java | 31 ++++++++++++++- 1 files changed, 29 insertions(+), 2 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/d841a285/wicket/src/main/java/org/apache/wicket/RequestCycle.java ---------------------------------------------------------------------- diff --git a/wicket/src/main/java/org/apache/wicket/RequestCycle.java b/wicket/src/main/java/org/apache/wicket/RequestCycle.java index 8a01a22..6a301f8 100644 --- a/wicket/src/main/java/org/apache/wicket/RequestCycle.java +++ b/wicket/src/main/java/org/apache/wicket/RequestCycle.java @@ -44,7 +44,6 @@ import org.apache.wicket.request.target.component.listener.ListenerInterfaceRequ import org.apache.wicket.request.target.resource.SharedResourceRequestTarget; import org.apache.wicket.util.collections.ArrayListStack; import org.apache.wicket.util.string.AppendingStringBuffer; -import org.apache.wicket.util.string.JavascriptUtils; import org.apache.wicket.util.string.Strings; import org.apache.wicket.util.time.Time; import org.apache.wicket.util.value.ValueMap; @@ -810,12 +809,40 @@ public abstract class RequestCycle private final CharSequence encodeUrlFor(final IRequestTarget requestTarget) { CharSequence url = getProcessor().getRequestCodingStrategy().encode(this, requestTarget); - url = JavascriptUtils.escapeQuotes(url); + url = cutNilChar(url); urlForNewWindowEncoding = false; return url; } /** + * Removes any occurrence of \u0000 char and everything after it. + * + * @param input + * the CharSequence to process + * @return + * a CharSequence without \u0000 in it + */ + // WICKET-4275, CVE-2011-2712 + private CharSequence cutNilChar(CharSequence input) + { + StringBuilder result = new StringBuilder(); + int length = input.length(); + for (int i = 0; i < length; i++) + { + char c = input.charAt(i); + if (c == '\u0000') + { + break; + } + else { + result.append(c); + } + } + + return result; + } + + /** * Returns a bookmarkable URL that references a given page class using a given set of page * parameters. Since the URL which is returned contains all information necessary to instantiate * and render the page, it can be stored in a user's browser as a stable bookmark.
