You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by mg...@apache.org on 2012/03/27 11:41:03 UTC

[5/6] git commit: Properly port the improvement in 1.5 to not allow comma separated extensions in the resource path. In 6.x ResourceNameIterator expects an Iterable of extensions. Not a comma separated String.

Properly port the improvement in 1.5 to not allow comma separated extensions in the resource path.
In 6.x ResourceNameIterator expects an Iterable<String> of extensions. Not a comma separated String.


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/686f934c
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/686f934c
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/686f934c

Branch: refs/heads/master
Commit: 686f934c9de800b13420657d35ea201c2a2e2c94
Parents: 3297e3c
Author: Martin Tzvetanov Grigorov <mg...@apache.org>
Authored: Tue Mar 27 10:53:03 2012 +0200
Committer: Martin Tzvetanov Grigorov <mg...@apache.org>
Committed: Tue Mar 27 10:53:03 2012 +0200

----------------------------------------------------------------------
 .../resource/locator/ResourceStreamLocator.java    |   22 +++++++++++----
 1 files changed, 16 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/686f934c/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
index 7e614b7..2cbbc2a 100644
--- a/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
+++ b/wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java
@@ -19,6 +19,7 @@ package org.apache.wicket.core.util.resource.locator;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.Arrays;
+import java.util.Collections;
 import java.util.Locale;
 
 import org.apache.wicket.Application;
@@ -255,28 +256,37 @@ public class ResourceStreamLocator implements IResourceStreamLocator
 	public ResourceNameIterator newResourceNameIterator(final String path, final Locale locale,
 		final String style, final String variation, final String extension, final boolean strict)
 	{
-		final Iterable<String> extensions = extension == null ? NO_EXTENSIONS : Arrays.asList(extension);
+		final Iterable<String> extensions;
 
 		final String realPath;
-		final String realExtension;
 
 		if ((extension == null) && (path != null) && (path.indexOf('.') != -1))
 		{
+			// extract the path and extension
 			realPath = Strings.beforeLast(path, '.');
-			// for extensions with separator take the first extension
-			realExtension = Strings.afterLast(path, '.');
+			String realExtension = Strings.afterLast(path, '.');
 			if (realExtension.indexOf(',') > -1)
 			{
 				// multiple extensions are not allowed in the path parameter
+				// it could be an attack, so ignore it and pretend there are no resources
 				return new EmptyResourceNameIterator();
 			}
+			extensions = Collections.singleton(realExtension);
 		}
 		else
 		{
 			realPath = path;
-			realExtension = extension;
+			if (extension == null)
+			{
+				extensions = NO_EXTENSIONS;
+			}
+			else
+			{
+				String[] commaSeparated = Strings.split(extension, ',');
+				extensions = Arrays.asList(commaSeparated);
+			}
 		}
 
-		return new ResourceNameIterator(path, style, variation, locale, extensions, strict);
+		return new ResourceNameIterator(realPath, style, variation, locale, extensions, strict);
 	}
 }