Properly port the improvement in 1.5 to not allow comma separated extensions in the resource path. In 6.x ResourceNameIterator expects an Iterable<String> of extensions. Not a comma separated String.
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/686f934c Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/686f934c Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/686f934c Branch: refs/heads/master Commit: 686f934c9de800b13420657d35ea201c2a2e2c94 Parents: 3297e3c Author: Martin Tzvetanov Grigorov <[email protected]> Authored: Tue Mar 27 10:53:03 2012 +0200 Committer: Martin Tzvetanov Grigorov <[email protected]> Committed: Tue Mar 27 10:53:03 2012 +0200 ---------------------------------------------------------------------- .../resource/locator/ResourceStreamLocator.java | 22 +++++++++++---- 1 files changed, 16 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/wicket/blob/686f934c/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java ---------------------------------------------------------------------- diff --git a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java index 7e614b7..2cbbc2a 100644 --- a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java +++ b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java @@ -19,6 +19,7 @@ package org.apache.wicket.core.util.resource.locator; import java.net.URL; import java.util.ArrayList; import java.util.Arrays; +import java.util.Collections; import java.util.Locale; import org.apache.wicket.Application; @@ -255,28 +256,37 @@ public class ResourceStreamLocator implements IResourceStreamLocator public ResourceNameIterator newResourceNameIterator(final String path, final Locale locale, final String style, final String variation, final String extension, final boolean strict) { - final Iterable<String> extensions = extension == null ? NO_EXTENSIONS : Arrays.asList(extension); + final Iterable<String> extensions; final String realPath; - final String realExtension; if ((extension == null) && (path != null) && (path.indexOf('.') != -1)) { + // extract the path and extension realPath = Strings.beforeLast(path, '.'); - // for extensions with separator take the first extension - realExtension = Strings.afterLast(path, '.'); + String realExtension = Strings.afterLast(path, '.'); if (realExtension.indexOf(',') > -1) { // multiple extensions are not allowed in the path parameter + // it could be an attack, so ignore it and pretend there are no resources return new EmptyResourceNameIterator(); } + extensions = Collections.singleton(realExtension); } else { realPath = path; - realExtension = extension; + if (extension == null) + { + extensions = NO_EXTENSIONS; + } + else + { + String[] commaSeparated = Strings.split(extension, ','); + extensions = Arrays.asList(commaSeparated); + } } - return new ResourceNameIterator(path, style, variation, locale, extensions, strict); + return new ResourceNameIterator(realPath, style, variation, locale, extensions, strict); } }
