Updated Branches: refs/heads/wicket-1.4.x 6a1358fe7 -> f0fc54803
WICKET-4432: Possible to escape from package resource scope by inserting escaped slash (%2F) Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/f0fc5480 Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/f0fc5480 Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/f0fc5480 Branch: refs/heads/wicket-1.4.x Commit: f0fc54803a93cd78207fb6631620b16a195a26e6 Parents: 6a1358f Author: Peter Ertl <[email protected]> Authored: Sat Feb 25 02:16:58 2012 +0100 Committer: Peter Ertl <[email protected]> Committed: Sat Feb 25 02:16:58 2012 +0100 ---------------------------------------------------------------------- .../http/request/WebRequestCodingStrategy.java | 12 +++++++++++- 1 files changed, 11 insertions(+), 1 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/f0fc5480/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java ---------------------------------------------------------------------- diff --git a/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java b/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java index 32849f7..c8a3b4e 100644 --- a/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java +++ b/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java @@ -725,6 +725,7 @@ public class WebRequestCodingStrategy implements IRequestCodingStrategy, IReques { StringBuffer path = new StringBuffer( WicketURLDecoder.PATH_INSTANCE.decode(pathInfo.substring(ix))); + int ixSemiColon = path.indexOf(";"); // strip off any jsession id if (ixSemiColon != -1) @@ -736,7 +737,16 @@ public class WebRequestCodingStrategy implements IRequestCodingStrategy, IReques } path.delete(ixSemiColon, ixEnd); } - parameters.setResourceKey(path.toString()); + String resourcePath = path.toString(); + + // do not accept a leading slash or a duplicate slash in the resource path + // which probably is the result of a maliciously constructed url + if (resourcePath.startsWith("/") || resourcePath.indexOf("//") != -1) + { + return; + } + + parameters.setResourceKey(resourcePath); } } }
