[
https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216186#comment-13216186
]
Peter Ertl commented on WICKET-4430:
------------------------------------
thanks for reporting, sebastiaan!
the problem was that the resource anchor class was a java primitive (e.g. int,
float) that effectively links to the default (or better, null) package ...
should be fixed in current trunk for 1.4, 1.5 and 6.0 ... please verify and
confirm
> By using int as the scope, it is possible to read arbitrary resources from
> the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
>
> Using "int" as scope, it is possible to access arbitrary resources in from
> the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427
> this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as
> follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
