git commit: WICKET-4432: Possible to escape from package resource scope by inserting escaped slash (%2F)

[pete]

Updated Branches:
  refs/heads/wicket-1.4.x 6a1358fe7 -> f0fc54803


WICKET-4432: Possible to escape from package resource scope by inserting 
escaped slash (%2F)


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/f0fc5480
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/f0fc5480
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/f0fc5480

Branch: refs/heads/wicket-1.4.x
Commit: f0fc54803a93cd78207fb6631620b16a195a26e6
Parents: 6a1358f
Author: Peter Ertl <p...@apache.org>
Authored: Sat Feb 25 02:16:58 2012 +0100
Committer: Peter Ertl <p...@apache.org>
Committed: Sat Feb 25 02:16:58 2012 +0100

----------------------------------------------------------------------
 .../http/request/WebRequestCodingStrategy.java     |   12 +++++++++++-
 1 files changed, 11 insertions(+), 1 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/f0fc5480/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java
----------------------------------------------------------------------
diff --git 
a/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java
 
b/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java
index 32849f7..c8a3b4e 100644
--- 
a/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java
+++ 
b/wicket/src/main/java/org/apache/wicket/protocol/http/request/WebRequestCodingStrategy.java
@@ -725,6 +725,7 @@ public class WebRequestCodingStrategy implements 
IRequestCodingStrategy, IReques
                        {
                                StringBuffer path = new StringBuffer(
                                        
WicketURLDecoder.PATH_INSTANCE.decode(pathInfo.substring(ix)));
+                               
                                int ixSemiColon = path.indexOf(";");
                                // strip off any jsession id
                                if (ixSemiColon != -1)
@@ -736,7 +737,16 @@ public class WebRequestCodingStrategy implements 
IRequestCodingStrategy, IReques
                                        }
                                        path.delete(ixSemiColon, ixEnd);
                                }
-                               parameters.setResourceKey(path.toString());
+                               String resourcePath = path.toString();
+
+                               // do not accept a leading slash or a duplicate 
slash in the resource path 
+                               // which probably is the result of a 
maliciously constructed url
+                               if (resourcePath.startsWith("/") || 
resourcePath.indexOf("//") != -1)
+                               {
+                                       return;
+                               }
+
+                               parameters.setResourceKey(resourcePath);
                        }
                }
        }