eirikbakke commented on code in PR #8114:
URL: https://github.com/apache/netbeans/pull/8114#discussion_r1903766800
##########
platform/openide.util.ui/src/org/openide/util/ImageUtilities.java:
##########
@@ -210,6 +210,59 @@ public static final Image loadImage(String resource,
boolean localized) {
return loadImageInternal(resource, localized);
}
+ /**
+ * Load an image from an URL. If the URL uses the {@code nbresloc}
protocol, it is loaded using
+ * the resource loading mechanism provided by {@link
#loadImage(java.lang.String)}. An SVG
+ * image may be substituted when available.
+ *
+ * <p>This method is intended for use only when a URL must be used instead
of a resource path,
+ * e.g. in the implementation of pre-existing NetBeans APIs.
+ *
+ * @param url the URL of the image, possibly with the nbresloc protocol
+ * @return the loaded image, or either null or an uninitialized image if
the image was not
+ * available
+ * @since 7.34
+ */
+ public static final Image loadImage(URL url) {
+ Parameters.notNull("icon", url);
+ if (url.getProtocol().equals("nbresloc")) { // NOI18N
+ // Omit the initial slash of the path.
+ return loadImage(url.getPath().substring(1));
+ } else {
+ /* Observed to return an image with size (-1, -1) if URL points to
a non-existent file
+ (after ensureLoaded(Image) is called). */
+ return Toolkit.getDefaultToolkit().createImage(url);
Review Comment:
For a whitelist, I think we'd need to allow the "jar" protocol too, in
addition to the "nbresloc" protocol. The "jar" protocol ends up being used when
NetBeans code does something like
`DataViewUI.class.getResource("/org/netbeans/modules/db/dataview/images/row_delete.png")`
which yields the URL
`jar:file:/Users/ebakke/ZRoot/netbeans-work/netbeans/nbbuild/netbeans/ide/modules/org-netbeans-modules-db-dataview.jar!/org/netbeans/modules/db/dataview/images/row_delete.png`
The latter pattern is very common in the NetBeans codebase. But the "jar"
protocol can also point anywhere on the web in theory. We could try to restrict
to nbresloc only, but then that is a change that requires manual testing in
each case, rather than merely a visual code review in each case.
(Is there an easy/secure way to test if a JAR URL is actually within the
netbeans folder structure? I assume JARs could be either in e.g. "C:\Program
Files" or in the user directory if there has been later auto-updates and such.
And there can be ".." paths and such.)
Alternatively the code could be inlined in the 9 relevant call sites, rather
than adding a utility method in ImageUtilities. Or, the new utility method
could be marked as deprecated from the start.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
