You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Ondra Žižka (JIRA)" <ji...@apache.org> on 2011/05/01 19:21:03 UTC
[jira] [Issue Comment Edited] (WICKET-3659) Resource path with ../
prints warning, is replaced with null/ but still works.
[ https://issues.apache.org/jira/browse/WICKET-3659?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13027475#comment-13027475 ]
Ondra Žižka edited comment on WICKET-3659 at 5/1/11 5:19 PM:
-------------------------------------------------------------
What is interesting:
If I remove "../", i.e. use
{code}
<link rel="shortcut icon" href="files/favicon.ico" type="image/x-icon">
{code}
then the rendered code is:
{code}
<link rel="shortcut icon" href="files/favicon.ico" type="image/x-icon">
{code}
However, other resources are referenced in the same page as e.g.
{code}
<link rel="stylesheet" type="text/css" href="files/layout-vut.css"/>
{code}
Which is rendered as
{code}
<link rel="stylesheet" type="text/css" href="resources/org.xy.web.foo.FooPage/files/layout-vut.css"/>
{code}
Which seems like if the .ico file was treated differently from .css.
was (Author: pekarna):
What is interesting:
If I remove "../", i.e. use
{code}
<link rel="shortcut icon" href="../files/favicon.ico" type="image/x-icon">
{code}
then the rendered code is:
{code}
<link rel="shortcut icon" href="files/favicon.ico" type="image/x-icon">
{code}
However, other resources are referenced in the same page as e.g.
{code}
<link rel="stylesheet" type="text/css" href="files/layout-vut.css"/>
{code}
Which is rendered as
{code}
<link rel="stylesheet" type="text/css" href="resources/org.xy.web.foo.FooPage/files/layout-vut.css"/>
{code}
Which seems like if the .ico file was treated differently from .css.
> Resource path with ../ prints warning, is replaced with null/ but still works.
> ------------------------------------------------------------------------------
>
> Key: WICKET-3659
> URL: https://issues.apache.org/jira/browse/WICKET-3659
> Project: Wicket
> Issue Type: Bug
> Components: wicket-core
> Affects Versions: 1.4.16
> Reporter: Ondra Žižka
>
> I have a HTML page in org/xy/web/foobar/FooPage.html
> Then there's org/xy/web/files/favicon.ico
> The HTML page contains
> {code}
> <wicket:link>
> <link rel="shortcut icon" href="../files/favicon.ico" type="image/x-icon">
> </wicket:link>
> {code}
> This warning is printed:
> May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey SEVERE: Your path looks like: ../files/favicon.ico
> May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey SEVERE: For security reasons moving up '../' is disabled by default. Please see
> May 1, 2011 6:26:22 PM org.apache.wicket.SharedResources resourceKey SEVERE: IResourceSettings.getParentFolderPlaceholder() and PackageResourceGuard for more details
> However, the rendered code contains path
> resources/org.xy.web.foo.FooPage/null/files/favicon.ico"
> And the file is served.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira