git commit: WICKET-4432: Possible to escape from package resource scope by inserting escaped slash (%2F)

Fri, 24 Feb 2012 17:02:23 -0800 

Updated Branches:
  refs/heads/wicket-1.5.x 3783e6ecb -> 667ae4a5f


WICKET-4432: Possible to escape from package resource scope by inserting 
escaped slash (%2F)


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/667ae4a5
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/667ae4a5
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/667ae4a5

Branch: refs/heads/wicket-1.5.x
Commit: 667ae4a5fc4c756112de98c8aed601b8b3a956ec
Parents: 3783e6e
Author: Peter Ertl <[email protected]>
Authored: Sat Feb 25 02:01:49 2012 +0100
Committer: Peter Ertl <[email protected]>
Committed: Sat Feb 25 02:01:49 2012 +0100

----------------------------------------------------------------------
 .../mapper/BasicResourceReferenceMapper.java       |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/667ae4a5/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
----------------------------------------------------------------------
diff --git 
a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
 
b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
index 09b22d2..8e5e21f 100755
--- 
a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
+++ 
b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
@@ -32,6 +32,7 @@ import org.apache.wicket.request.resource.ResourceReference;
 import org.apache.wicket.request.resource.caching.IResourceCachingStrategy;
 import org.apache.wicket.request.resource.caching.ResourceUrl;
 import org.apache.wicket.util.IProvider;
+import org.apache.wicket.util.crypt.StringUtils;
 import org.apache.wicket.util.lang.WicketObjects;
 import org.apache.wicket.util.string.Strings;
 import org.slf4j.Logger;
@@ -94,6 +95,12 @@ class BasicResourceReferenceMapper extends 
AbstractResourceReferenceMapper
                        {
                                String segment = url.getSegments().get(i);
 
+                               // ignore invalid segments
+                               if (segment.contains("/"))
+                               {
+                                       return null;
+                               }
+
                                // remove caching information
                                if (i + 1 == segmentsSize && 
Strings.isEmpty(segment) == false)
                                {

Reply via email to