Author: jdonnerstag
Date: Sun May 31 14:42:12 2009
New Revision: 780442
URL: http://svn.apache.org/viewvc?rev=780442&view=rev
Log:
applied backported patch from 1.4 to 1.3 trunk as well
SharedResourceRequestTarget allows access to almost arbitrary files under
WEB-INF.
Note that the junit test (expiry header) which failed before still fails and is
not fixed by this patch.
Issue: WICKET-1992
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/SharedResources.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/CompressedPackageResource.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/JavascriptPackageResource.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResource.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResourceGuard.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/request/target/resource/SharedResourceRequestTarget.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/IResourceSettings.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/lang/Packages.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/image/ImageTest.java
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/link/AutolinkTest.java
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/SharedResources.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/SharedResources.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/SharedResources.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/SharedResources.java
Sun May 31 14:42:12 2009
@@ -28,7 +28,6 @@
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-
/**
* Class which holds shared resources. Resources can be shared by name. An
optional scope can be
* given to prevent naming conflicts and a locale and/or style can be given as
well.
@@ -47,11 +46,11 @@
* _[style] into path just before any extension that might exist.
*
* @param path
- * The resource path
+ * The resource path
* @param locale
- * The locale
+ * The locale
* @param style
- * The style (see {...@link org.apache.wicket.Session})
+ * The style (see {...@link org.apache.wicket.Session})
* @return The localized path
*/
public static String resourceKey(final String path, final Locale
locale, final String style)
@@ -62,8 +61,20 @@
.getParentFolderPlaceholder();
final String extension = Files.extension(path);
- // get relative path to resource, replace' ..' with escape
sequence
String basePath = Files.basePath(path, extension);
+
+ if (Strings.isEmpty(parentEscape) &&
+ (Application.get().getConfigurationType() ==
Application.DEVELOPMENT) &&
+ basePath.indexOf("../".toString()) > -1)
+ {
+
log.error("----------------------------------------------------------------------------------------");
+ log.error("Your path looks like: " + path);
+ log.error("For security reasons moving up '../' is
disabled by default. Please see");
+
log.error("IResourceSettings.getParentFolderPlaceholder() and
PackageResourceGuard for more details");
+
log.error("----------------------------------------------------------------------------------------");
+ }
+
+ // get relative path to resource, replace '..' with escape
sequence
basePath = Strings.replaceAll(basePath, "../", parentEscape +
"/").toString();
final AppendingStringBuffer buffer = new
AppendingStringBuffer(basePath.length() + 16);
buffer.append(basePath);
@@ -112,7 +123,7 @@
* Construct.
*
* @param application
- * The application
+ * The application
*/
SharedResources(Application application)
{
@@ -122,15 +133,15 @@
* Adds a resource.
*
* @param scope
- * Scope of resource
+ * Scope of resource
* @param name
- * Logical name of resource
+ * Logical name of resource
* @param locale
- * The locale of the resource
+ * The locale of the resource
* @param style
- * The resource style (see {...@link
org.apache.wicket.Session})
+ * The resource style (see {...@link
org.apache.wicket.Session})
* @param resource
- * Resource to store
+ * Resource to store
*/
public final void add(final Class scope, final String name, final
Locale locale,
final String style, final Resource resource)
@@ -155,11 +166,11 @@
* Adds a resource.
*
* @param name
- * Logical name of resource
+ * Logical name of resource
* @param locale
- * The locale of the resource
+ * The locale of the resource
* @param resource
- * Resource to store
+ * Resource to store
*/
public final void add(final String name, final Locale locale, final
Resource resource)
{
@@ -170,9 +181,9 @@
* Adds a resource.
*
* @param name
- * Logical name of resource
+ * Logical name of resource
* @param resource
- * Resource to store
+ * Resource to store
*/
public final void add(final String name, final Resource resource)
{
@@ -181,21 +192,28 @@
/**
* @param scope
- * The resource's scope
+ * The resource's scope
* @param name
- * Name of resource to get
+ * Name of resource to get
* @param locale
- * The locale of the resource
+ * The locale of the resource
* @param style
- * The resource style (see {...@link
org.apache.wicket.Session})
+ * The resource style (see {...@link
org.apache.wicket.Session})
* @param exact
- * If true then only return the resource that is
registered for the given locale and style.
+ * If true then only return the resource that is registered
for the given locale and
+ * style.
*
* @return The logical resource
*/
public final Resource get(final Class scope, final String name, final
Locale locale,
final String style, boolean exact)
{
+ if (exact)
+ {
+ final String resourceKey = resourceKey(scope, name,
locale, style);
+ return get(resourceKey);
+ }
+
// 1. Look for fully qualified entry with locale and style
if (locale != null && style != null)
{
@@ -205,10 +223,6 @@
{
return resource;
}
- if (exact)
- {
- return null;
- }
}
// 2. Look for entry without style
@@ -220,10 +234,6 @@
{
return resource;
}
- if (exact)
- {
- return null;
- }
}
// 3. Look for entry without locale
@@ -235,10 +245,6 @@
{
return resource;
}
- if (exact)
- {
- return null;
- }
}
// 4. Look for base name with no locale or style
@@ -250,7 +256,7 @@
* THIS METHOD IS NOT PART OF THE WICKET PUBLIC API. DO NOT USE IT.
*
* @param key
- * Shared resource key
+ * Shared resource key
* @return The resource
*/
public final Resource get(final String key)
@@ -266,9 +272,9 @@
* instead of
resources/org.apache.wicket.resources.ResourceClass/Image.jpg
*
* @param clz
- * The class that has to be aliased.
+ * The class that has to be aliased.
* @param alias
- * The alias string.
+ * The alias string.
*/
public final void putClassAlias(Class clz, String alias)
{
@@ -297,7 +303,7 @@
* Removes a shared resource.
*
* @param key
- * Shared resource key
+ * Shared resource key
*/
public final void remove(final String key)
{
@@ -311,13 +317,13 @@
* THIS METHOD IS NOT PART OF THE WICKET PUBLIC API. DO NOT CALL IT.
*
* @param scope
- * The scope of the resource
+ * The scope of the resource
* @param path
- * The resource path
+ * The resource path
* @param locale
- * The locale
+ * The locale
* @param style
- * The style (see {...@link org.apache.wicket.Session})
+ * The style (see {...@link org.apache.wicket.Session})
* @return The localized path
*/
public String resourceKey(final Class scope, final String path, final
Locale locale,
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/CompressedPackageResource.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/CompressedPackageResource.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/CompressedPackageResource.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/CompressedPackageResource.java
Sun May 31 14:42:12 2009
@@ -26,7 +26,6 @@
import org.apache.wicket.Application;
import org.apache.wicket.RequestCycle;
-import org.apache.wicket.SharedResources;
import org.apache.wicket.markup.html.resources.CompressedResourceReference;
import org.apache.wicket.protocol.http.WebRequest;
import org.apache.wicket.protocol.http.WebResponse;
@@ -174,8 +173,7 @@
private static final long serialVersionUID = 1L;
/**
- * Gets the resource for a given set of criteria. Only one resource
will be loaded for the same
- * criteria.
+ * Create a new PackageResource
*
* @param scope
* This argument will be used to get the class loader for
loading the package
@@ -188,23 +186,11 @@
* @param style
* The style of the resource (see {...@link
org.apache.wicket.Session})
* @return The resource
- * @throws PackageResourceBlockedException
- * when the target resource is not accepted by {...@link
IPackageResourceGuard the
- * package resource guard}.
*/
- public static PackageResource get(final Class scope, final String path,
final Locale locale,
- final String style)
+ protected static PackageResource newPackageResource(final Class scope,
final String path,
+ final Locale locale, final String style)
{
- final SharedResources sharedResources =
Application.get().getSharedResources();
-
- PackageResource resource =
(PackageResource)sharedResources.get(scope, path, locale, style,
- true);
- if (resource == null)
- {
- resource = new CompressedPackageResource(scope, path,
locale, style);
- sharedResources.add(scope, path, locale, style,
resource);
- }
- return resource;
+ return new CompressedPackageResource(scope, path, locale,
style);
}
private final IResourceStream resourceStream;
@@ -299,4 +285,4 @@
response.setHeader("Content-Encoding", "gzip");
}
}
-}
\ No newline at end of file
+}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/JavascriptPackageResource.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/JavascriptPackageResource.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/JavascriptPackageResource.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/JavascriptPackageResource.java
Sun May 31 14:42:12 2009
@@ -172,24 +172,11 @@
* @param style
* The style of the resource (see {...@link
org.apache.wicket.Session})
* @return The resource
- * @throws PackageResourceBlockedException
- * when the target resource is not accepted by
- * {...@link IPackageResourceGuard the package resource
guard}.
*/
public static PackageResource get(final Class scope, final String path,
final Locale locale,
final String style)
{
- final SharedResources sharedResources =
Application.get().getSharedResources();
-
- PackageResource resource =
(PackageResource)sharedResources.get(scope, path, locale, style,
- true);
-
- if (resource == null)
- {
- resource = new JavascriptPackageResource(scope, path,
locale, style);
- sharedResources.add(scope, path, locale, style,
resource);
- }
- return resource;
+ return new JavascriptPackageResource(scope, path, locale,
style);
}
/**
@@ -200,7 +187,7 @@
* @param locale
* @param style
*/
- public JavascriptPackageResource(Class scope, String path, Locale
locale, String style)
+ protected JavascriptPackageResource(Class scope, String path, Locale
locale, String style)
{
super(scope, path, locale, style);
}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResource.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResource.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResource.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResource.java
Sun May 31 14:42:12 2009
@@ -40,6 +40,7 @@
import org.apache.wicket.WicketRuntimeException;
import org.apache.wicket.protocol.http.WebRequestCycle;
import org.apache.wicket.protocol.http.servlet.AbortWithWebErrorCodeException;
+import org.apache.wicket.settings.IResourceSettings;
import org.apache.wicket.util.lang.Classes;
import org.apache.wicket.util.lang.PackageName;
import org.apache.wicket.util.lang.Packages;
@@ -64,10 +65,14 @@
* is in to get a package resource.
* </p>
*
+ * Access to resources can be granted or denied via a {...@link
IPackageResourceGuard}. Please see
+ * {...@link IResourceSettings#getPackageResourceGuard()} as well.
+ *
* @author Jonathan Locke
* @author Eelco Hillenius
+ * @author Juergen Donnerstag
*/
-public class PackageResource extends WebResource implements IModifiable
+public class PackageResource extends WebResource implements IModifiable,
IPackageResourceGuard
{
/**
* Exception thrown when the creation of a package resource is not
allowed.
@@ -119,10 +124,9 @@
* scope class (eg ".*\\.js" will add all the
files with extension
* "js" from that package).
*
- * @deprecated Since Wicket 1.2.1 this method is effectively a no-op.
- * {...@link PackageResource package resources} are
automatically tried and bound as
- * shared resources so that they don't have to be
pre-registered anymore. Will be
- * removed in 2.0
+ * @deprecated Since Wicket 1.2.1 this method is effectively a no-op.
{...@link PackageResource
+ * package resources} are automatically tried and bound as
shared resources so that
+ * they don't have to be pre-registered anymore. Will be
removed in 2.0
*/
public static void bind(Application application, Class scope, Pattern
pattern)
{
@@ -145,10 +149,9 @@
* @param recurse
* Whether this method should recurse into sub packages
*
- * @deprecated Since Wicket 1.2.1 this method is effectively a no-op.
- * {...@link PackageResource package resources} are
automatically tried and bound as
- * shared resources so that they don't have to be
pre-registered anymore. Will be
- * removed in 2.0
+ * @deprecated Since Wicket 1.2.1 this method is effectively a no-op.
{...@link PackageResource
+ * package resources} are automatically tried and bound as
shared resources so that
+ * they don't have to be pre-registered anymore. Will be
removed in 2.0
*/
public static void bind(Application application, Class scope, Pattern
pattern, boolean recurse)
{
@@ -408,11 +411,33 @@
true);
if (resource == null)
{
- resource = new PackageResource(scope, path, locale,
style);
+ resource = newPackageResource(scope, path, locale,
style);
+ Application.get().getSharedResources().add(scope, path,
locale, style, resource);
}
return resource;
}
+ /**
+ * Create a new PackageResource
+ *
+ * @param scope
+ * This argument will be used to get the class loader for
loading the package
+ * resource, and to determine what package it is in.
Typically this is the class in
+ * which you call this method
+ * @param path
+ * The path to the resource
+ * @param locale
+ * The locale of the resource
+ * @param style
+ * The style of the resource (see {...@link
org.apache.wicket.Session})
+ * @return The resource
+ */
+ protected static PackageResource newPackageResource(final Class scope,
final String path,
+ final Locale locale, final String style)
+ {
+ return new PackageResource(scope, path, locale, style);
+ }
+
/* removed in 2.0 */
private static void scanJarFile(Class scope, Pattern pattern, boolean
recurse,
final List resources, String packageRef, JarFile jf)
@@ -468,13 +493,11 @@
// Convert resource path to absolute path relative to base
package
absolutePath = Packages.absolutePath(scope, path);
- IPackageResourceGuard guard = Application.get()
- .getResourceSettings()
- .getPackageResourceGuard();
- if (!guard.accept(scope, path))
+ if (!accept(scope, path))
{
- throw new PackageResourceBlockedException("package
resource " + absolutePath +
- " may not be accessed");
+ throw new PackageResourceBlockedException(
+ "Access denied to (static) package resource " +
absolutePath +
+ ". See IPackageResourceGuard");
}
scopeName = scope.getName();
@@ -618,4 +641,17 @@
return lastModifiedTime;
}
+
+ /**
+ * @see
org.apache.wicket.markup.html.IPackageResourceGuard#accept(java.lang.Class,
+ * java.lang.String)
+ */
+ public boolean accept(Class scope, String path)
+ {
+ IPackageResourceGuard guard = Application.get()
+ .getResourceSettings()
+ .getPackageResourceGuard();
+
+ return guard.accept(scope, path);
+ }
}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResourceGuard.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResourceGuard.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResourceGuard.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/markup/html/PackageResourceGuard.java
Sun May 31 14:42:12 2009
@@ -19,20 +19,33 @@
import java.util.HashSet;
import java.util.Set;
+import org.apache.wicket.Application;
import org.apache.wicket.util.lang.Packages;
+import org.apache.wicket.util.string.Strings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
/**
- * Default implementation of {...@link IPackageResourceGuard}. By default, the
extensions
- * 'properties', 'class' and 'java' are blocked.
+ * Default implementation of {...@link IPackageResourceGuard}. By default, the
extensions 'properties',
+ * 'class' and 'java' are blocked and files like 'log4j.xml' and
'applicationContext.xml'
+ *
+ * A more secure implementation which by default denies access to any resource
is
+ * {...@link SecurePackageResourceGuard}
*
* @author eelcohillenius
*/
public class PackageResourceGuard implements IPackageResourceGuard
{
- /** Set of extensions that are not allowed access. */
+ /** Log. */
+ private static final Logger log =
LoggerFactory.getLogger(PackageResourceGuard.class);
+
+ /** Set of extensions that are denied access. */
private Set blockedExtensions = new HashSet(4);
+ /** Set of filenames that are denied access. */
+ private Set blockedFiles = new HashSet(4);
+
/**
* Construct.
*/
@@ -41,6 +54,9 @@
blockedExtensions.add("properties");
blockedExtensions.add("class");
blockedExtensions.add("java");
+
+ blockedFiles.add("applicationContext.xml");
+ blockedFiles.add("log4j.xml");
}
/**
@@ -74,12 +90,41 @@
{
ext = path.substring(ixExtension + 1).toLowerCase();
}
+
if ("html".equals(ext) &&
-
getClass().getClassLoader().getResource(path.replaceAll(".html", ".class")) !=
null)
+
getClass().getClassLoader().getResource(path.replaceAll("\\.html", ".class"))
!= null)
+ {
+ log.warn("Access denied to shared (static) resource
because it is a Wicket markup file: " +
+ path);
+ return false;
+ }
+
+ if (acceptExtension(ext) == false)
{
+ log.warn("Access denied to shared (static) resource
because of the file extension: " +
+ path);
return false;
}
- return acceptExtension(ext);
+
+ String filename = Strings.lastPathComponent(path, '/');
+ if (acceptFile(filename) == false)
+ {
+ log.warn("Access denied to shared (static) resource
because of the file name: " + path);
+ return false;
+ }
+
+ // Only if a placeholder, e.g. $up$ is defined, access to
parent directories is allowed
+ if
(Strings.isEmpty(Application.get().getResourceSettings().getParentFolderPlaceholder()))
+ {
+ if (path.indexOf("..".toString()) > -1)
+ {
+ log.warn("Access to parent directories via '..'
is by default disabled for shared resources: " +
+ path);
+ return false;
+ }
+ }
+
+ return true;
}
/**
@@ -96,9 +141,21 @@
}
/**
- * Gets the set of extensions that are not allowed access.
+ * Whether the provided filename is accepted.
+ *
+ * @param file
+ * filename
+ * @return True if accepted, false otherwise.
+ */
+ protected boolean acceptFile(String file)
+ {
+ return (!blockedFiles.contains(file));
+ }
+
+ /**
+ * Gets the set of extensions that are denied access.
*
- * @return The set of extensions that are not allowed access
+ * @return The set of extensions that are denied access
*/
protected final Set getBlockedExtensions()
{
@@ -106,7 +163,17 @@
}
/**
- * Sets the set of extensions that are not allowed access.
+ * Gets the set of extensions that are denied access.
+ *
+ * @return The set of extensions that are denied access
+ */
+ protected final Set getBlockedFiles()
+ {
+ return blockedFiles;
+ }
+
+ /**
+ * Sets the set of extensions that are denied access.
*
* @param blockedExtensions
* Set of extensions that are not allowed access
@@ -115,4 +182,15 @@
{
this.blockedExtensions = blockedExtensions;
}
+
+ /**
+ * Sets the set of filenames that are denied access.
+ *
+ * @param blockedFiles
+ * Set of extensions that are denied access
+ */
+ protected final void setBlockedFiles(Set blockedFiles)
+ {
+ this.blockedFiles = blockedFiles;
+ }
}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/request/target/resource/SharedResourceRequestTarget.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/request/target/resource/SharedResourceRequestTarget.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/request/target/resource/SharedResourceRequestTarget.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/request/target/resource/SharedResourceRequestTarget.java
Sun May 31 14:42:12 2009
@@ -50,7 +50,7 @@
* Construct.
*
* @param requestParameters
- * the request parameters
+ * the request parameters
*/
public SharedResourceRequestTarget(RequestParameters requestParameters)
{
@@ -88,9 +88,8 @@
}
/**
- * @see
- *
org.apache.wicket.request.target.resource.ISharedResourceRequestTarget#getRequestParameters
- * ()
+ * @see
org.apache.wicket.request.target.resource.ISharedResourceRequestTarget#getRequestParameters
+ * ()
*/
public final RequestParameters getRequestParameters()
{
@@ -148,21 +147,21 @@
{
scope =
resolver.resolveClass(className);
}
+
+ // get path component of resource key,
replace '..' with escape sequence to
+ // prevent crippled urls in browser
final CharSequence escapeString =
application.getResourceSettings()
.getParentFolderPlaceholder();
- // get path component of resource key,
replace' ..' with escape sequence to
- // prevent crippled urls in browser
+
String path = resourceKey.substring(ix
+ 1);
- path = Strings.replaceAll(path,
escapeString, "..").toString();
+ if (Strings.isEmpty(escapeString) ==
false)
+ {
+ path = Strings.replaceAll(path,
escapeString, "..").toString();
+ }
if (PackageResource.exists(scope, path,
null, null))
{
- PackageResource packageResource
= PackageResource.get(scope, path);
- if
(sharedResources.get(resourceKey) == null)
- {
-
sharedResources.add(scope, path, null, null, packageResource);
- }
- resource = packageResource;
+ resource =
PackageResource.get(scope, path);
}
}
catch (Exception e)
@@ -177,17 +176,18 @@
// if resource is still null, it doesn't exist
if (resource == null)
{
+ String msg = "shared resource " + resourceKey + " not
found or not allowed access";
Response response = requestCycle.getResponse();
if (response instanceof WebResponse)
{
((WebResponse)response).getHttpServletResponse().setStatus(
HttpServletResponse.SC_NOT_FOUND);
- log.error("shared resource " + resourceKey + "
not found");
+ log.error(msg);
return;
}
else
{
- throw new WicketRuntimeException("shared
resource " + resourceKey + " not found");
+ throw new WicketRuntimeException(msg);
}
}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/IResourceSettings.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/IResourceSettings.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/IResourceSettings.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/IResourceSettings.java
Sun May 31 14:42:12 2009
@@ -293,17 +293,29 @@
*/
public boolean getAddLastModifiedTimeToResourceReferenceUrl();
-
/**
- * placeholder string for '..' within resource urls (which will be
crippled by the browser and
- * not work anymore)
+ * Placeholder string for '..' within resource urls (which will be
crippled by the browser and
+ * not work anymore). Note that by default the placeholder string is
empty '' and thus will not
+ * allow to access parent folders. That is by purpose and for security
reasons (see
+ * Wicket-1992). In case you really need it, a good value for
placeholder would e.g. be "$up$".
+ * Resources additionally are protected by a
+ * {...@link org.apache.wicket.markup.html.IPackageResourceGuard
IPackageResourceGuard}
+ * implementation such as {...@link
org.apache.wicket.resource.resourceGuard.PackageResourceGuard
+ * PackageResourceGuard} which you may use or extend based on your
needs.
*
* @return placeholder
*/
CharSequence getParentFolderPlaceholder();
/**
- * set placeholder for '..' inside resource urls
+ * Placeholder string for '..' within resource urls (which will be
crippled by the browser and
+ * not work anymore). Note that by default the placeholder string is
empty '' and thus will not
+ * allow to access parent folders. That is by purpose and for security
reasons (see
+ * Wicket-1992). In case you really need it, a good value for
placeholder would e.g. be "$up$".
+ * Resources additionally are protected by a
+ * {...@link org.apache.wicket.markup.html.IPackageResourceGuard
IPackageResourceGuard}
+ * implementation such as {...@link
org.apache.wicket.resource.resourceGuard.PackageResourceGuard
+ * PackageResourceGuard} which you may use or extend based on your
needs.
*
* @see #getParentFolderPlaceholder()
*
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/settings/Settings.java
Sun May 31 14:42:12 2009
@@ -315,7 +315,7 @@
/**
* escape string for '..' within resource keys
*/
- private CharSequence parentFolderPlaceholder = "$up$";
+ private CharSequence parentFolderPlaceholder = null;
/**
* Create the application settings, carrying out any necessary
initializations.
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/lang/Packages.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/lang/Packages.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/lang/Packages.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/main/java/org/apache/wicket/util/lang/Packages.java
Sun May 31 14:42:12 2009
@@ -40,7 +40,7 @@
*/
public static String absolutePath(final Class p, final String
relativePath)
{
- String packName = extractPackageName(p);
+ String packName = (p != null ? extractPackageName(p) : "");
return absolutePath(packName, relativePath);
}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/image/ImageTest.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/image/ImageTest.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/image/ImageTest.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/image/ImageTest.java
Sun May 31 14:42:12 2009
@@ -63,9 +63,10 @@
tester.assertContains("src=\"resources/org.apache.wicket.markup.html.image.Home/Beer.gif\"");
}
- public void testParentRelativeImage()
- {
- tester.startPage(Home.class);
-
tester.assertContains("src=\"resources/org.apache.wicket.markup.html.image.Home/[$]up[$]/border/test.png\"");
- }
+ public void testParentRelativeImage()
+ {
+
tester.getApplication().getResourceSettings().setParentFolderPlaceholder("$up$");
+ tester.startPage(Home.class);
+
tester.assertContains("src=\"resources/org.apache.wicket.markup.html.image.Home/[$]up[$]/border/test.png\"");
+ }
}
Modified:
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/link/AutolinkTest.java
URL:
http://svn.apache.org/viewvc/wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/link/AutolinkTest.java?rev=780442&r1=780441&r2=780442&view=diff
==============================================================================
---
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/link/AutolinkTest.java
(original)
+++
wicket/branches/wicket-1.3.x/jdk-1.4/wicket/src/test/java/org/apache/wicket/markup/html/link/AutolinkTest.java
Sun May 31 14:42:12 2009
@@ -43,6 +43,7 @@
public void testRenderHomePage_1() throws Exception
{
tester.getApplication().getMarkupSettings().setAutomaticLinking(true);
+
tester.getApplication().getResourceSettings().setParentFolderPlaceholder("$up$");
executeTest(AutolinkPage_1.class,
"AutolinkPageExpectedResult_1.html");
}
