A couple of years ago I was moderately proficient in Wicket. Today I picked it up again at the latest version, 6.12.0. I'm using it in an embedded Jetty server. I managed to configure everything and get a "Hello World" page working.
But here's the odd thing: the minute I add a form, the entire page disappears! Let's say I have:
<h1>Hello</h1>
<p>blah</p>
<p><label>Upload File:</label> <input wicket:id="fileUpload"
type="file" size="40" /><br /> <input wicket:id="uploadButton"
type="submit" value="Upload" /></p>
That works fine. Then I add:
<h1>Hello</h1>
<p>blah</p>
<form wicket:id="form">...</form>
Suddenly the page is blank! The response code is still 200 OK, but there is no content. Here's what comes back:
Date: Tue, 19 Nov 2013 01:32:48 GMT
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Pragma: no-cache
Cache-Control: no-cache, no-store
Transfer-Encoding: chunked
Server: Jetty(9.1.0.v20131115)
200 OK
Yes, when I add the form, I make sure the components on the form (e.g. the buttons) are now programmatically added to the form instead of the page:
final Form form=new Form("form");
form.add(new FileUploadField("fileUpload"));
form.add(new Button("uploadButton"));
add(form);
My Jetty configuration had disabled sessions. I didn't see the exception (which was clear about the problem) because I hadn't configured log4j for the project. After changing NO_SESSIONS to SESSIONS forms seem to work fine:
final ServletContextHandler contextHandler = new ServletContextHandler(ServletContextHandler.SESSIONS);
Related
I have a simple site. It's one html page, and just plain text entries. The HTML is like this...
<div class='box'>
April 15, 2021
Today, I got a cat.
</div>
<div class='box'>
April 16, 2021
Today, I named the cat toby and fed him fish.
</div>
Is there a way to prove through some type of hash, that the entries have been unaltered? Like a way to prove that I never went back and changed one of the entries?
I have a jsp page that is performing a select and then needs to display a lot of data. It can take a minute or so to load. The issue I am having is that if another user tries to access said page, they just get a spinning browser until the first user's page has completed. I was able to duplicate this with the following test page
The page is:
<%# page isThreadSafe="false" import="java.util.*" errorPage="error2.jsp" %>
<html>
<head>
<title>Test page</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<center>
<%
for (int i = 1;i <= 10000; i++) { %>
line <%=i%> <%=new Date()%><br>
<% for (int j = 1;j <= 900000; j++) {
}
}
%>
</center>
</body>
</html>
When I go to this page on two browsers at the same time, both start to spin , one will start to display the "line 1.... " data the other will continue to spin until the first one displays "line 10000..." and then the second browser will start to display.
The first and last lines of display in the first browser are:
line 1 Wed Jan 16 15:35:25 EST 2019
line 10000 Wed Jan 16 15:35:39 EST 2019
and the first and last lines of display in the second browser are:
line 1 Wed Jan 16 15:35:39 EST 2019
line 10000 Wed Jan 16 15:35:53 EST 2019
I have been able to duplicate this in JBoss 7 and in Wildfly 9. Both in standalone mode.
Is there some setting in standalone.xml that I need to set so that two JBoss/Wildfly will produce two or more instances of the same page at the same time?
It looks like it is the "isThreadSafe" page directive attribute. When I change it from false to true, the pages are displayed in multiple browsers concurrently.
In my project an User can create a Customer and assigning it zero or more Tag. These entities have a relation with User of course. This is done by a form that has a tag field of entity type, filtered by current logged user:
$user = $this->securityContext->getToken()->getUser();
$builder
->add('tags', 'meta_selector', array(
'label' => 'Tag',
'class' => 'Acme\HelloBundle\Entity\Tag',
'property' => 'select_label',
'query_builder' => function(EntityRepository $er) use($user) {
$qb = $er->createQueryBuilder('t');
return $qb
->where($qb->expr()->eq('t.user_id', ':user')
->orderBy('t.name')
->setParameter('user', $user);
}
))
;
And this is working fine. Looking at a generated HTML tags are rendered as checkboxes:
<div class="controls">
<label class="checkbox">
<input type="checkbox" value="2" name="customer[tags][2]"
id="customer_tags_2"> A Tag
</label>
<label class="checkbox">
<input type="checkbox" value="3" name="customer[tags][3]"
id="customer_tags_3"> Another Tag
</label>
</div>
I'd like to investigate further about form tampering. In particular making a POST request from a trusted user adding customer%5Btags%5D%5B1%5D=1, that is a tag with id equal to 1 which exists but it has been created by another user. Attacker user is creating an customer with a tag created by another user:
POST http://localhost/Symfony2/web/app_dev.php/app/customers/new HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/Symfony2/web/app_dev.php/app/customers/new
Cookie: PHPSESSID=3avu1a2a1eufthr5tdftuhrnn7; hl=it
Content-Type: application/x-www-form-urlencoded
Content-Length: 276
customer%5Bfirst%5D=fake&customer%5Blast%5D=fake&customer%5Bgender%5D=m&customer%5Bbirthday%5D=&customer%5Bemail%5D=&customer%5Bmobile%5D=&customer%5Baddress%5D=&customer%5Bcountry%5D=IT&customer%5Btags%5D%5B1%5D=1&customer%5B_token%5D=455783fa2f866677669c9034a90554b9f75d68b4
.. and seems there is some sort of control that prevents this. Result is 200 OK (should be a 302 in case of success) without any error and form is rendered again. Of course entity is not persisted.
Actual question is: how Symfony 2 protect from this kind of form "tampering" attacks? A possible explanation is the it checks that submitted tags exist inside the collection returned by the form builder. But a reference is needed...
EDIT: even disabling CSRF protection the result is the same. By the way i was passing a valid token and CSRF is intended to protect from other types of attacks.
The answer to your question can be explained quite easily. Every choice field (and the entity type is a specialization of the choice type) has a list of choices. For each choice, the field is aware about
the model representation ("choice") of the choice (e.g. a Tag instance)
the view representation ("value") of the choice (e.g. the ID)
the label used in the view (e.g. a property of Tag)
When you submit the form, the choice field looks in this list which model representation matches the submitted view representation. If none can be found, the field remains unassigned.
The code for this logic can be found in the class ChoiceList and its descendants, in your case EntityChoiceList. Upon submission, the method getChoicesForValues() is executed which does the lookup and is optimized for speed.
Wild guess: CSRF protection is enabled and you do not render the errors.
Update: I've found a workaround. If I submit a dummy form field along with the file, it works. Is this a ColdFusion bug, or is there something in the HTTP spec that says forms must contain at least one non-file form field?
Update 2: I'm convinced this is a ColdFusion cfhttp bug. This is based on Leigh's answer and the fact that I used the code below to submit a form with only the file element using javascript, and it works fine:
<form enctype="multipart/form-data" action="<cfoutput>#CGI.PATH_INFO#</cfoutput>" method="POST" name="theForm">
<input name="theFile" type="file" /><br/>
</form>
submit
I'm running into a problem uploading files from a ColdFusion server to another webserver. It seems that cfhttpparam type="file" is indiscriminately appending a newline (carriage return and line feed) to the end of the file. This is breaking binary files. This does not happen when I manually upload the file via form field. I have tried with and without mimetype parameter, and I've tried lying about mimetype with various binary formats (exe, zip, jpg), but nothing has worked. Is there some parameter I'm missing, or is this a bug in ColdFusion? (I'm running on CF 8.0.1.195765 on WinXP.)
Below is test code I'm using, it just uploads the file to the same directory. The manual upload works, but the server-based upload ends up appending a CRLF to the file.
<cfset MyDir = "C:\test" />
<cfset MyFile = "test.zip" />
<cfif IsDefined("Form.TheFile")>
<cffile action="upload" fileField="theFile" destination="#MyDir#" nameConflict="MakeUnique" />
<cfelse>
<cfhttp url="http://#CGI.SERVER_NAME##CGI.SCRIPT_NAME#" method="POST" throwOnError="Yes">
<cfhttpparam type="file" name="theFile" file="#MyDir#\#MyFile#" />
</cfhttp>
</cfif>
<html><body>
<h2>Manual upload</h2>
<form enctype="multipart/form-data" action="<cfoutput>#CGI.PATH_INFO#</cfoutput>" method="POST">
<input name="theFile" type="file" /><br/>
<input type="submit" value="Submit" />
</form>
</body></html>
or is there something in the HTTP spec
that says forms must contain at least
one non-file form field?
I do not know for certain. But according to these definitions it seems like a POST containing only a file input should be valid. So I suspect the problem may be CFHTTP in ACF.
According to Fiddler the raw content from the cfhttp call in ACF contains an extra new line just before the end boundary (0D 0A in hex view). But under Railo it does not. So I think ACF's cfhttp might be the culprit.
Sample Code:
<cfhttp url="http://127.0.0.1:8888/cfusion/receive.cfm" method="post">
<cfhttpparam name="myFile" type="file" file="c:/test/testFile.zip" mimetype="application/octet-stream" />
</cfhttp>
Results Railo 3.1.2
POST /railo/receive.cfm HTTP/1.1
User-Agent: Railo (CFML Engine)
Host: 127.0.0.1:8888
Content-Length: 382
Content-Type: multipart/form-data; boundary=m_l7PD5xIydR_hQpo8fDxL0Hb7vu_F8DSzwn
--m_l7PD5xIydR_hQpo8fDxL0Hb7vu_F8DSzwn
Content-Disposition: form-data; name="myFile"; filename="testFile.zip"
Content-Type: application/octet-stream; charset=ISO-8859-1
Content-Transfer-Encoding: binary
PK
&�1=�cN'testFile.txtTestingPK
&�1=�cN' testFile.txtPK:1
--m_l7PD5xIydR_hQpo8fDxL0Hb7vu_F8DSzwn--
Results ACF (versions 8 and 9)
POST /cfusion/receive.cfm HTTP/1.1
Host: 127.0.0.1:8888
... other headers removed for brevity ....
Content-type: multipart/form-data; boundary=-----------------------------7d0d117230764
Content-length: 350
-------------------------------7d0d117230764
Content-Disposition: form-data; name="JobFile"; filename="c:\test\testFile.zip"
Content-Type: application/octet-stream
PK
&�1=�cN'testFile.txtTestingPK
&�1=�cN' testFile.txtPK:1
-------------------------------7d0d117230764--
Maybe Railo 3.1.2 and ColdFusion 9 handle this a bit differently, but your code looks a bit incorrect for me.
Your CGI.PATH_INFO is not applicable here.
While browser is smart enough to use path without hostname, CFHTTP feels better with full hostname + script path + script name. Note: cgi.SCRIPT_NAME worked in CF9, Railo required cgi.SERVER_NAME to be prepended, though I feel this more correct in general.
That's why a bit modified version of the code works fine for me. Zip file is uploaded and posted without being corrupted.
Form:
<form enctype="multipart/form-data" action="<cfoutput>#cgi.SCRIPT_NAME#</cfoutput>" method="POST">
<input name="theFile" type="file" /><br/>
<input type="submit" value="Submit" />
</form>
CFHTTP:
<cfhttp url="#cgi.SERVER_NAME##cgi.SCRIPT_NAME#" method="POST" throwOnError="Yes">
<cfhttpparam type="file" name="theFile" file="#MyDir#/#MyFile#" />
</cfhttp>
Hope this helps.
I get the extra line feed and carriage return on file appends too. The problem for me is/was the combination of cfhttp and the cfloop. Once I broke the file creation into 3 parts: Create, cfloop endrow-1, then appending last record.
Seems like a kludgy way to do it, but no extra line feed.
Can an iCal attachment contain HTML in the description property? If so, what are the restrictions?
After doing some research and testing. The answer is a qualified no. Meaning: you could throw it in there, but you shouldn't.
It is not strictly forbidden by the RFC, but DESCRIPTION is not the appropriate property for HTML content.
DESCRIPTION should be the plain text version of your content. The property X-ALT-DESC with a FMTTYPE declaration of text/html is the appropriate property for HTML content.
The following example worked in both Outlook and Gmail/Google Calendar, but does not appear to be supported by Thunderbird(w/Lightning): (please, forgive the ouput. it was generated by Outlook)
X-ALT-DESC;FMTTYPE=text/html:<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//E
N">\n<HTML>\n<HEAD>\n<META NAME="Generator" CONTENT="MS Exchange Server ve
rsion 08.00.0681.000">\n<TITLE></TITLE>\n</HEAD>\n<BODY>\n<!-- Converted f
rom text/rtf format -->\n\n<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG
="en-us"><FONT FACE="Calibri">Is this in HTML?</FONT></SPAN><SPAN LANG="en
-us"></SPAN><SPAN LANG="en-us"></SPAN></P>\n\n<P DIR=LTR><SPAN LANG="en-us
"><FONT FACE="Calibri">Bullets:</FONT></SPAN></P>\n\n<P DIR=LTR><SPAN LANG
="en-us"><FONT FACE="Calibri">1. \; \; \; \; \;</FONT>
</SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-
us"></SPAN><SPAN LANG="en-us"></SPAN><SPAN LANG="en-us"> <FONT FACE="Calib
ri">Test 1</FONT></SPAN></P>\n\n<P DIR=LTR><SPAN LANG="en-us"><FONT FACE="
Calibri">2. \; \; \; \; \;</FONT></SPAN><SPAN LANG="en
-us"> <FONT FACE="Calibri">Test 2</FONT></SPAN><SPAN LANG="en-us"></SPAN><
SPAN LANG="en-us"></SPAN></P>\n\n<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPA
N LANG="en-us"></SPAN><SPAN LANG="en-us"></SPAN></P>\n\n</BODY>\n</HTML>
Like any HTML rendering in an email client supported tags and styles are limited.
HTML in the description won't be rendered as HTML in Outlook, at the least. If you want to include rich text that Outlook will recognize, export an event from your Outlook calendar, and take a look at what they do. I believe they provide plain-text in the Description and then create another property for the HTML.
For anyone happening upon this page like I did and is looking to specifically have HTML content displayed for Outlook events...
As the accepted answer states, the DESCRIPTION shouldn't have any HTML. However, you can get HTML into the content of the event (at least in Outlook) using a multipart/alternative email.
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="_CAL_B598a1969806776.58663423_B_"
To: "Your Name" <yourname#example.com>
From: "John Doe" <john.doe#example.com>
--_CAL_B598a1969806776.58663423_B_
Content-Type: text/html; charset="iso - 8859 - 1"
Content-Transfer-Encoding: quoted-printable
<html><body>
<h1>Hello World</h1>
<p>This is a calendar event test</p>
</body></html>
--_CAL_B598a1969806776.58663423_B_
Content-Type: text/calendar; charset="utf - 8"; method=REQUEST
Content-Transfer-Encoding: base64
QkVHSU46VkNBTEVOREFSDQpNRVRIT0Q6UkVRVUVTVA0KUFJPRElEOi0vL1BIUC8vTWVl
dGluZ1JlcXVlc3QvL0VODQpWRVJTSU9OOjIuMA0KQkVHSU46VkVWRU5UDQpPUkdBTkla
RVI7Q049Sm9obiBEb2U6TUFJTFRPOmpvaG4uZG9lQGV4YW1wbGUuY29tDQpBVFRFTkRF
RTtST0xFPVJFUS1QQVJUSUNJUEFOVDtQQVJUU1RBVD1ORUVEUy1BQ1RJT047UlNWUD1U
UlVFO0NOPVlvdXIgTmFtZTpNQUlMVE86eW91cm5hbWVAZXhhbXBsZS5jb20NCkRFU0NS
SVBUSU9OOkhlbGxvIFdvcmxkIEV2ZW50DQpTVU1NQVJZOkhlbGxvIFdvcmxkIEV2ZW50
DQpEVFNUQVJUOjIwMTcwODE1VDE5MDAwMFoNCkRURU5EOjIwMTcwODE1VDIwMDAwMFoN
ClVJRDowMTIzNDU2Nzg5DQpDTEFTUzpQVUJMSUMNClBSSU9SSVRZOjUNCkRUU1RBTVA6
MjAxNzA4MDhUMjAwNDU3Wg0KVFJBTlNQOk9QQVFVRQ0KU1RBVFVTOkNPTkZJUk1FRA0K
U0VRVUVOQ0U6MA0KTE9DQVRJT046MTIzIEFueSBTdHJlZXQNCkJFR0lOOlZBTEFSTQ0K
QUNUSU9OOkRJU1BMQVkNCkRFU0NSSVBUSU9OOlJFTUlOREVSDQpUUklHR0VSO1JFTEFU
RUQ9U1RBUlQ6LVBUMTVNDQpFTkQ6VkFMQVJNDQpFTkQ6VkVWRU5UDQpFTkQ6VkNBTEVO
REFS
--_CAL_B598a1969806776.58663423_B_--
In case you are wondering, that Base64 encoding translates to:
BEGIN:VCALENDAR
METHOD:REQUEST
PRODID:-//PHP//MeetingRequest//EN
VERSION:2.0
BEGIN:VEVENT
ORGANIZER;CN=John Doe:MAILTO:john.doe#example.com
ATTENDEE;ROLE=REQ-PARTICIPANT;PARTSTAT=NEEDS-ACTION;RSVP=TRUE;CN=Your Name:MAILTO:yourname#example.com
DESCRIPTION:Hello World Event
SUMMARY:Hello World Event
DTSTART:20170815T190000Z
DTEND:20170815T200000Z
UID:0123456789
CLASS:PUBLIC
PRIORITY:5
DTSTAMP:20170808T200457Z
TRANSP:OPAQUE
STATUS:CONFIRMED
SEQUENCE:0
LOCATION:123 Any Street
BEGIN:VALARM
ACTION:DISPLAY
DESCRIPTION:REMINDER
TRIGGER;RELATED=START:-PT15M
END:VALARM
END:VEVENT
END:VCALENDAR
I think it's possible, according to the RFC, but I doubt that it's a good idea, as it appears to be a bit of a security hole.