[jira] [Commented] (WICKET-3659) Resource path with ../ prints warning, is replaced with null/ but still works.

Sun, 01 May 2011 10:19:43 -0700 

    [ 
https://issues.apache.org/jira/browse/WICKET-3659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13027475#comment-13027475
 ] 

Ondra Žižka commented on WICKET-3659:
-------------------------------------

What is interesting:

If I remove "../",  i.e.  use 
{code}
        <link rel="shortcut icon" href="../files/favicon.ico" 
type="image/x-icon">
{code}
then the rendered code is:
{code}
        <link rel="shortcut icon" href="files/favicon.ico" type="image/x-icon">
{code}

However, other resources are referenced in the same page as e.g.
{code}
        <link rel="stylesheet" type="text/css" href="files/layout-vut.css"/>
{code}
Which is rendered as
{code}
        <link rel="stylesheet" type="text/css" 
href="resources/org.xy.web.foo.FooPage/files/layout-vut.css"/>
{code}
Which seems like if the .ico file was treated differently from .css.

> Resource path with ../ prints warning, is replaced with null/ but still works.
> ------------------------------------------------------------------------------
>
>                 Key: WICKET-3659
>                 URL: https://issues.apache.org/jira/browse/WICKET-3659
>             Project: Wicket
>          Issue Type: Bug
>          Components: wicket-core
>    Affects Versions: 1.4.16
>            Reporter: Ondra Žižka
>
> I have a HTML page in org/xy/web/foobar/FooPage.html
> Then there's org/xy/web/files/favicon.ico
> The HTML page contains
> {code}
>    <wicket:link>
>        <link rel="shortcut icon" href="../files/favicon.ico" 
> type="image/x-icon">
>    </wicket:link>
> {code}
> This warning is printed:
>   May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey 
> SEVERE: Your path looks like: ../files/favicon.ico
>   May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey 
> SEVERE: For security reasons moving up '../' is disabled by default. Please 
> see
>   May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey 
> SEVERE: IResourceSettings.getParentFolderPlaceholder() and 
> PackageResourceGuard for more details
> However, the rendered code contains path
>   resources/org.xy.web.foo.FooPage/null/files/favicon.ico"
> And the file is served.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to