At least in my development configuration the WebAppClassLoader of Tomcat which eventually resolves the resource returns a file: url to for example the .properties file.
On certain systems where the file system is not case sensitive this would allow you to specify the resource as file.PROPERTIES and the file: resource would be correctly resolved and the PackgeResourceGuard would allow it.
Fortunately resources to files inside a .war file or inside .jar files do seem to be case sensitive even on Windows.
Regards, Sebastiaan Sebastiaan van Erk wrote:
Hi All,I've just run into what I consider a bit of a security issue with the SharedResourceRequestTarget. It allows me to load files from the /WEB-INF directory (though I have to guess the file names).For example, if I see there is some bookmarkable page in the app with the name com.myapp.pages.MyBookMarkablePage, I can request the following URL:http://www.mydomain.com/resources/com.myapp.pages.MyBookMarkablePage/$up$/$up$/$up$/log4j.xmlReplace log4j.xml with applicationContext.xml, or any other guesses for useful files.In both these files it is more than possible that there is sensitive information such as database urls and passwords or mail server usernames and passwords (though if you use a property configurator in Spring you might be lucky since the password is then contained in a .properties file, which is blocked by Wicket).Of course there may be lots of other sensitive files in WEB-INF.I know about the IPackageResourceGuard interface, however, only since today, after looking into this problem. :-) I could build my own implementation with a default deny policy and open up package resources on a need to have basis. However, I REALLY think that Wicket should be secure by default, and a better solution to this problem should be found...Regards, Sebastiaan
smime.p7s
Description: S/MIME Cryptographic Signature
