Hi,
Each resource in Wicket is decorated using a version string in a file
name by default. It is implemented in
FilenameWithVersionResourceCachingStrategy. Depending on DEVELOPMENT
or DEPLOYMENT mode it looks like:
jquery-ver-1590158412000.css
jquery-ver-F334A4E46CB37347CAB42E2B1A45897C.css
There is a small security issue, that this strategy does not check if
this version is correctly calculated for specific resource and accepts
any string as a version identifier, eg.:
jquery-ver-F334A4E46CB37347CAB42E2B1A45897C_old.css
jquery-ver-F334A4E46CB37347CAB42E2B1A45897C_bakup.css
jquery-ver-XYZABCDEF.css
etc.
Maybe we should add a check if version passed in request is correct?
There is partially such check done in decorateResponse() method. So
maybe it is enough to add else block here and raise some exception?
@Override
public void decorateResponse(AbstractResource.ResourceResponse
response, IStaticCacheableResource resource) {
String requestedVersion = RequestCycle.get().getMetaData(URL_VERSION);
String calculatedVersion = this.resourceVersion.getVersion(resource);
if (calculatedVersion != null && calculatedVersion.equals(requestedVersion)) {
response.setCacheDurationToMaximum();
response.setCacheScope(WebResponse.CacheScope.PUBLIC);
}
}
--
Best regards,
Daniel Stoch
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org
