表单中的 Wicket 隐藏字段:注入值时出现异常

发布于 2024-09-18 16:47:53 字数 2947 浏览 3 评论 0原文

在检票口形式中获得一个隐藏字段。我在网上发现,某种事件处理需要这个隐藏字段。 (有人知道更多细节吗?)

我玩过 XSS-Me (https:// addons.mozilla.org/de/firefox/addon/7598/) 一个 Firefox 插件,尝试查找 XSS 漏洞。 该插件的作用是将一些值注入到该隐藏字段中,然后 wicket 抛出: WicketRuntimeException:尝试访问未知的请求侦听器接口 null

有谁知道如何防止此异常?或被抓住?

mfg Bernhard 的

完整跟踪是:

ERROR - RequestCycle               - Attempt to access unknown request listener interface null
org.apache.wicket.WicketRuntimeException: Attempt to access unknown request listener interface null
   at org.apache.wicket.markup.html.form.Form.dispatchEvent(Form.java:1327)
   at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:874)
   at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:182)
   at org.apache.wicket.request.target.component.listener.ListenerInterfaceRequestTarget.processEvents(ListenerInterfaceRequestTarget.java:73)
   at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92)
   at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1250)
   at org.apache.wicket.RequestCycle.step(RequestCycle.java:1329)
   at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1428)
   at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
   at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:479)
   at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:312)
   at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1089)
   at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)
   at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
   at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
   at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)
   at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
   at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
   at org.mortbay.jetty.Server.handle(Server.java:295)
   at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:503)
   at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:841)
   at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:639)
   at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:210)
   at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:379)
   at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:226)
   at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442) 

in wicket forms get a hidden field. I found on the web, that this hidden field is needed for some kind of event handling. (Anyone knows more details?)

I played around with XSS-Me (https://addons.mozilla.org/de/firefox/addon/7598/) a firefox plugin, that tries to find XSS vulnerabilities.
What the addon does, is that it injects some values into that hidden field, and then wicket throws :
WicketRuntimeException: Attempt to access unknown request listener interface null

Has anyone an idea, how this exception could be prevented? or caught?

mfg bernhard

the full trace is:

ERROR - RequestCycle               - Attempt to access unknown request listener interface null
org.apache.wicket.WicketRuntimeException: Attempt to access unknown request listener interface null
   at org.apache.wicket.markup.html.form.Form.dispatchEvent(Form.java:1327)
   at org.apache.wicket.markup.html.form.Form.onFormSubmitted(Form.java:874)
   at sun.reflect.GeneratedMethodAccessor41.invoke(Unknown Source)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at org.apache.wicket.RequestListenerInterface.invoke(RequestListenerInterface.java:182)
   at org.apache.wicket.request.target.component.listener.ListenerInterfaceRequestTarget.processEvents(ListenerInterfaceRequestTarget.java:73)
   at org.apache.wicket.request.AbstractRequestCycleProcessor.processEvents(AbstractRequestCycleProcessor.java:92)
   at org.apache.wicket.RequestCycle.processEventsAndRespond(RequestCycle.java:1250)
   at org.apache.wicket.RequestCycle.step(RequestCycle.java:1329)
   at org.apache.wicket.RequestCycle.steps(RequestCycle.java:1428)
   at org.apache.wicket.RequestCycle.request(RequestCycle.java:545)
   at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:479)
   at org.apache.wicket.protocol.http.WicketFilter.doFilter(WicketFilter.java:312)
   at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1089)
   at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:365)
   at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
   at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
   at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:712)
   at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:405)
   at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
   at org.mortbay.jetty.Server.handle(Server.java:295)
   at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:503)
   at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:841)
   at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:639)
   at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:210)
   at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:379)
   at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:226)
   at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442) 

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

山有枢 2024-09-25 16:47:53

由于 Wicket 是开源的,您当然可以通过查看源代码来了解其中的一些内容。

我相信该字段用于 Ajax 事件处理,并由附加到链接的 JavaScript 在呈现时作为 onclick 方法给出一个值。您可以通过查看 org.apache.wicket.markup.html.form.SubmitLink 方法 getTriggerJavaScript 中的源代码来了解此 javascript 的制作位置,并且可以看到生成的结果使用 firebug 进行标记。

Wicket 中的许多方法都是最终方法,因此您无法覆盖它们,并标有 Javadoc 劝告不要自己调用它们,特别是在使用此字段的表单提交区域中,此调用在周期中比大多数方法更早发生用于子类表单处理的标准挂钩,因此尝试捕获 WicketRuntimeException 并以特定于该字段的方式处理它可能很困难。

当然可以按照 错误页面上的 wiki 页面,无论如何,这是一件好事。

Since Wicket is open source, you can of course understand some of this by looking at the source.

I believe that field is used for Ajax event handling, and is given a value by a JavaScript attached to the link as an onclick method at rendering. You can see where this javascript is made by looking at the source code in org.apache.wicket.markup.html.form.SubmitLink method getTriggerJavaScript and you can see the resulting markup using firebug.

Many of the methods in Wicket are final so you can't override them, and marked with Javadoc exhortations not to call them yourself, and particularly in the area of form submission where this field is used, this call happens earlier in the cycle than most of the standard hooks for subclass form handling, so trying to catch the WicketRuntimeException and handle it in a way specific to this field might be difficult.

Catching it and showing a custom error page can of course be done as described at the wiki page on error pages, and this is a good thing to do anyway.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文