[WICKET-5944] CSRF prevention does not work with https URLs on the default port - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 6.20.0
Fix Version/s: 7.0.0, 6.21.0
Component/s: wicket
Labels:
None

Description

If your URL is https on the default port (so no :443 on the end), then the CSRF prevention (~~WICKET-5919~~) rejects requests with the Origin header supplied.

In CsrfPreventionRequestCycleListener, line 519 looks like this

if (port != -1 && "http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443)

So the port != -1 test binds only to the "http" half of the or statement, and the if block executes, which appends ":-1" to the end of the "https" URL. I think it should instead say

if (port != -1 && ("http".equals(scheme) && port != 80 || "https".equals(scheme) && port != 443))

Attachments

Activity

People

Assignee:: Martijn Dashorst

Reporter:: Alex Grant

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Jul/15 04:24

Updated:: 21/Jul/15 22:33

Resolved:: 08/Jul/15 11:08