Resource path with ../ prints warning, is replaced with null/ but still works.
------------------------------------------------------------------------------
Key: WICKET-3659
URL: https://issues.apache.org/jira/browse/WICKET-3659
Project: Wicket
Issue Type: Bug
Components: wicket-core
Affects Versions: 1.4.16
Reporter: Ondra Žižka
I have a HTML page in org/xy/web/foobar/FooPage.html
Then there's org/xy/web/files/favicon.ico
The HTML page contains
{code}
<wicket:link>
<link rel="shortcut icon" href="../files/favicon.ico"
type="image/x-icon">
</wicket:link>
{code}
This warning is printed:
May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey SEVERE:
Your path looks like: ../files/favicon.ico
May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey SEVERE:
For security reasons moving up '../' is disabled by default. Please see
May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey SEVERE:
IResourceSettings.getParentFolderPlaceholder() and PackageResourceGuard for
more details
However, the rendered code contains path
resources/org.xy.web.foo.FooPage/null/files/favicon.ico"
And the file is served.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
