You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@wicket.apache.org by Daniel Stoch <da...@gmail.com> on 2016/05/31 14:51:48 UTC
Resource caching - validation of user entered version
Hi,
By default Wicket (6.x) uses IResourceCachingStrategy which generates
resource urls like this one:
http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-1E0DAFB24FE33C93370DE13BF6FFE77F.js
But as a user I can generate almost any version number in this url and
it will be handled correctly by Wicket. For example these urls still
work ok:
http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-123.js
http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver--alert('1');return
false;.js
Is it a desired behavior or maybe Wicket should reject such
"incorrect" versions? Could it be some security issue?
--
Best regards,
Daniel
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Resource caching - validation of user entered version
Posted by Daniel Stoch <da...@gmail.com>.
Thanks for fast answer :)
--
Daniel
On Tue, May 31, 2016 at 4:54 PM, Martin Grigorov <mg...@apache.org> wrote:
> Hi,
>
> The version is intended to be used by the browser for client side caching,
> not by Wicket. That's why it is just stripped off by Wicket without any
> validation.
> Actually if Wicket rejects it then you won't be able to update your
> resources in new application versions.
>
> Martin Grigorov
> Wicket Training and Consulting
> https://twitter.com/mtgrigorov
>
> On Tue, May 31, 2016 at 4:51 PM, Daniel Stoch <da...@gmail.com>
> wrote:
>
>> Hi,
>>
>> By default Wicket (6.x) uses IResourceCachingStrategy which generates
>> resource urls like this one:
>>
>> http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-1E0DAFB24FE33C93370DE13BF6FFE77F.js
>>
>> But as a user I can generate almost any version number in this url and
>> it will be handled correctly by Wicket. For example these urls still
>> work ok:
>>
>> http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-123.js
>>
>> http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver--alert('1');return
>> false;.js
>>
>> Is it a desired behavior or maybe Wicket should reject such
>> "incorrect" versions? Could it be some security issue?
>>
>> --
>> Best regards,
>> Daniel
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
>> For additional commands, e-mail: users-help@wicket.apache.org
>>
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
For additional commands, e-mail: users-help@wicket.apache.org
Re: Resource caching - validation of user entered version
Posted by Martin Grigorov <mg...@apache.org>.
Hi,
The version is intended to be used by the browser for client side caching,
not by Wicket. That's why it is just stripped off by Wicket without any
validation.
Actually if Wicket rejects it then you won't be able to update your
resources in new application versions.
Martin Grigorov
Wicket Training and Consulting
https://twitter.com/mtgrigorov
On Tue, May 31, 2016 at 4:51 PM, Daniel Stoch <da...@gmail.com>
wrote:
> Hi,
>
> By default Wicket (6.x) uses IResourceCachingStrategy which generates
> resource urls like this one:
>
> http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-1E0DAFB24FE33C93370DE13BF6FFE77F.js
>
> But as a user I can generate almost any version number in this url and
> it will be handled correctly by Wicket. For example these urls still
> work ok:
>
> http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver-123.js
>
> http://host/myapp/wicket/resource/com.mycompany.BootstrapBehavior/js/timepicker/bootstrap-timepicker-ver--alert('1');return
> false;.js
>
> Is it a desired behavior or maybe Wicket should reject such
> "incorrect" versions? Could it be some security issue?
>
> --
> Best regards,
> Daniel
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@wicket.apache.org
> For additional commands, e-mail: users-help@wicket.apache.org
>
>