svn commit: r1040620 - /wicket/trunk/wicket/src/main/java/org/apache/wicket/request/resource/PackageResource.java

Tue, 30 Nov 2010 08:34:56 -0800 

Author: mgrigorov
Date: Tue Nov 30 16:33:20 2010
New Revision: 1040620

URL: http://svn.apache.org/viewvc?rev=1040620&view=rev
Log:
Check the package resource's path for '../' and replace it with the configured 
placeholder.
If there is no configured placeholder then the resource guard will refuse to 
accept it.

Modified:
    
wicket/trunk/wicket/src/main/java/org/apache/wicket/request/resource/PackageResource.java

Modified: 
wicket/trunk/wicket/src/main/java/org/apache/wicket/request/resource/PackageResource.java
URL: 
http://svn.apache.org/viewvc/wicket/trunk/wicket/src/main/java/org/apache/wicket/request/resource/PackageResource.java?rev=1040620&r1=1040619&r2=1040620&view=diff
==============================================================================
--- 
wicket/trunk/wicket/src/main/java/org/apache/wicket/request/resource/PackageResource.java
 (original)
+++ 
wicket/trunk/wicket/src/main/java/org/apache/wicket/request/resource/PackageResource.java
 Tue Nov 30 16:33:20 2010
@@ -30,6 +30,7 @@ import org.apache.wicket.util.lang.Packa
 import org.apache.wicket.util.lang.WicketObjects;
 import org.apache.wicket.util.resource.IResourceStream;
 import org.apache.wicket.util.resource.ResourceStreamNotFoundException;
+import org.apache.wicket.util.string.Strings;
 import org.apache.wicket.util.time.Time;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -132,17 +133,27 @@ public class PackageResource extends Abs
                // Convert resource path to absolute path relative to base 
package
                absolutePath = Packages.absolutePath(scope, name);
 
-               if (!accept(scope, name))
+               final String parentEscape = Application.get()
+                       .getResourceSettings()
+                       .getParentFolderPlaceholder();
+
+               if (Strings.isEmpty(parentEscape) == false)
+               {
+                       path = Strings.replaceAll(name, "../", parentEscape + 
"/").toString();
+               }
+               else
+               {
+                       path = name;
+               }
+
+               if (!accept(scope, path))
                {
                        throw new PackageResourceBlockedException(
                                "Access denied to (static) package resource " + 
absolutePath +
                                        ". See IPackageResourceGuard");
                }
 
-               // TODO WICKET-NG: Check path for ../
-
                scopeName = scope.getName();
-               path = name;
                this.locale = locale;
                this.style = style;
                this.variation = variation;

Reply via email to