Re: Security Issue or incorrect usage?

2016-01-03 Thread Илья Нарыжный
Sorry, Andrea, I meant "observed" according to my experiments. I have
already redo my implementation, but class and this article are pretty
dangerous: it might be easily understanded in wrong way and even on
dev env it might work "as expected", but "side-effects" might be
catched only on production. I recommend to add more JavaDocs and
comments.

Thanks,

Ilya
-
Orienteer(http://orienteer.org) - Modern Data Warehouse for your business.

2015-12-31 6:12 GMT-08:00 Andrea Del Bene <an.delb...@gmail.com>:
> Hi,
>
> the wiki entry you have found is pretty old (StyleSheetReference is no more
> part of the API). Where did you read the note you reported in the mail?
> BTW: I don't think it's a security issue. It just says that variable
> interpolation is done the first time the resource is requested, so you
> should avoid to put sensitive user informations into your dynamic CSS/JS.
>
> Andrea.
>>
>> Guys,
>>
>> Please advise on the following "feature".
>> There is the following cool ability in wicket:
>>
>> https://cwiki.apache.org/confluence/display/WICKET/Dynamically+Generate+a+CSS+Stylesheet
>>
>> Pretty much the same approach can be used for JavaScript.
>>
>> But it's noted: if try to retrieve URL for dynamically generated CSS
>> or JS after initial load of it by "legal" use - you will receive file
>> with substituted parameters for first user.
>>
>> Is it security issue or just incorrect usage of this feature?
>>
>> Thanks,
>>
>> Ilya
>>
>> -
>> Orienteer(http://orienteer.org) - Modern Data Warehouse for your business.
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
>> For additional commands, e-mail: users-h...@wicket.apache.org
>>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Re: Security Issue or incorrect usage?

2016-01-03 Thread Martin Grigorov
Hi,

On Sun, Jan 3, 2016 at 6:33 PM, Илья Нарыжный <phan...@ydn.ru> wrote:

> Sorry, Andrea, I meant "observed" according to my experiments. I have
> already redo my implementation, but class and this article are pretty
> dangerous: it might be easily understanded in wrong way and even on
> dev env it might work "as expected", but "side-effects" might be
> catched only on production. I recommend to add more JavaDocs and
> comments.
>

Please create a ticket with patch/PR with the suggested improvements!


>
> Thanks,
>
> Ilya
> -
> Orienteer(http://orienteer.org) - Modern Data Warehouse for your business.
>
> 2015-12-31 6:12 GMT-08:00 Andrea Del Bene <an.delb...@gmail.com>:
> > Hi,
> >
> > the wiki entry you have found is pretty old (StyleSheetReference is no
> more
> > part of the API). Where did you read the note you reported in the mail?
> > BTW: I don't think it's a security issue. It just says that variable
> > interpolation is done the first time the resource is requested, so you
> > should avoid to put sensitive user informations into your dynamic CSS/JS.
> >
> > Andrea.
> >>
> >> Guys,
> >>
> >> Please advise on the following "feature".
> >> There is the following cool ability in wicket:
> >>
> >>
> https://cwiki.apache.org/confluence/display/WICKET/Dynamically+Generate+a+CSS+Stylesheet
> >>
> >> Pretty much the same approach can be used for JavaScript.
> >>
> >> But it's noted: if try to retrieve URL for dynamically generated CSS
> >> or JS after initial load of it by "legal" use - you will receive file
> >> with substituted parameters for first user.
> >>
> >> Is it security issue or just incorrect usage of this feature?
> >>
> >> Thanks,
> >>
> >> Ilya
> >>
> >> -
> >> Orienteer(http://orienteer.org) - Modern Data Warehouse for your
> business.
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> >> For additional commands, e-mail: users-h...@wicket.apache.org
> >>
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> > For additional commands, e-mail: users-h...@wicket.apache.org
> >
>
> -
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
>
>


Re: Security Issue or incorrect usage?

2015-12-31 Thread Andrea Del Bene

Hi,

the wiki entry you have found is pretty old (StyleSheetReference is no 
more part of the API). Where did you read the note you reported in the mail?
BTW: I don't think it's a security issue. It just says that variable 
interpolation is done the first time the resource is requested, so you 
should avoid to put sensitive user informations into your dynamic CSS/JS.


Andrea.

Guys,

Please advise on the following "feature".
There is the following cool ability in wicket:
https://cwiki.apache.org/confluence/display/WICKET/Dynamically+Generate+a+CSS+Stylesheet

Pretty much the same approach can be used for JavaScript.

But it's noted: if try to retrieve URL for dynamically generated CSS
or JS after initial load of it by "legal" use - you will receive file
with substituted parameters for first user.

Is it security issue or just incorrect usage of this feature?

Thanks,

Ilya

-
Orienteer(http://orienteer.org) - Modern Data Warehouse for your business.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org




-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org



Security Issue or incorrect usage?

2015-12-30 Thread Илья Нарыжный
Guys,

Please advise on the following "feature".
There is the following cool ability in wicket:
https://cwiki.apache.org/confluence/display/WICKET/Dynamically+Generate+a+CSS+Stylesheet

Pretty much the same approach can be used for JavaScript.

But it's noted: if try to retrieve URL for dynamically generated CSS
or JS after initial load of it by "legal" use - you will receive file
with substituted parameters for first user.

Is it security issue or just incorrect usage of this feature?

Thanks,

Ilya

-
Orienteer(http://orienteer.org) - Modern Data Warehouse for your business.

-
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org