Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-3498

Entering huge strings in TextFields causes IllegalStateExceptions not caught by the Framework

    XMLWordPrintableJSON

Details

    Description

      We were testing a signin mechanism and entered a huge amount of chars in "username" and "password" fields contained by a form. (more than 200.000 chars) This results in an IllegalStateException thrown by Jetty, which is ok from my point of view. The problem is that the full exception stack trace (!!!) is shown to the client => the resulting execution leaves the scope of Wicket framework, which can't handle the exception correctly. Error Page and Stack Trace for Jetty 6 and Wicket 1.4.15:

      HTTP ERROR 500

      Problem accessing /login/wicket:interface/:0:loginPanel:signInForm::IFormSubmitListener::. Reason:

      Form too large3791446>200000

      Caused by:

      java.lang.IllegalStateException: Form too large3791446>200000
      at org.mortbay.jetty.Request.extractParameters(Request.java:1561)
      at org.mortbay.jetty.Request.getParameter(Request.java:859)
      at org.apache.wicket.protocol.http.servlet.ServletWebRequest.<init>(ServletWebRequest.java:83)
      at org.apache.wicket.protocol.http.WebApplication.newWebRequest(WebApplication.java:675)
      at org.apache.wicket.protocol.http.WicketFilter.doGet(WicketFilter.java:424)
      at org.apache.wicket.protocol.http.WicketServlet.doPost(WicketServlet.java:160)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
      at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1221)
      at

      {filter}

      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
      at org.springframework.orm.hibernate3.support.OpenSessionInViewFilter.doFilterInternal(OpenSessionInViewFilter.java:198)
      at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)
      at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1212)
      at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:399)
      at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
      at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
      at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:766)
      at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:450)
      at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
      at org.mortbay.jetty.Server.handle(Server.java:326)
      at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
      at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:945)
      at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:756)
      at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
      at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
      at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
      at org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:713)
      at org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582)

      We suggest an easy fix: catch the IllegalStateException in line 83 of org.apache.wicket.protocol.http.servlet.ServletWebRequest and just log an error (please check whether it really has to be an error to be logged). In effect no ajaxHeader will be read and an Wicket's Internal Error page will be shown:

      Possible solution in Wicket 1.4.15, 1.4.17 (didn't check 1.4.16), ServletWebRequest, line 83:
      try

      { if (Strings.isEmpty(ajaxHeader)) ajaxHeader = httpServletRequest.getParameter("wicket:ajax"); }

      catch (IllegalStateException exception)

      { log.error("IllegalStateException occured reading \"wicket:ajax\"-Parameter: " + exception.getMessage()); }

      Please consider checking Wicket 1.5. I just checked ServletWebRequest, which has been refactored apparently. Line 214 (Enumeration<String> e = httpServletRequest.getHeaders(name) may be critical, as well as methods protected Map<String, List<StringValue>> generatePostParameters() and getQueryParameters(). Couldn't check that by now. Please let me know, if you want me to analyze that error more intensely and suggest a fix in Wicket 1.5. We consider that bug as "Major" or "Critical", as the whole Servlet Container StackTrace is potentially displayed.

      Attachments

        Activity

          People

            mgrigorov Martin Tzvetanov Grigorov
            ghartner Georg Hartner
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 5h
                5h
                Remaining:
                Remaining Estimate - 5h
                5h
                Logged:
                Time Spent - Not Specified
                Not Specified