You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sebastiaan van Erk (Created) (JIRA)" <ji...@apache.org> on 2012/02/24 17:46:49 UTC
[jira] [Created] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
----------------------------------------------------------------------------------------------------------------
Key: WICKET-4430
URL: https://issues.apache.org/jira/browse/WICKET-4430
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.4.18
Reporter: Sebastiaan van Erk
Priority: Critical
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/ritten/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-1427 this allows arbitrary resources to be downloaded, i.e., like this:
localhost:8080/myapp/resources/int/wicket.properties,xml
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Description:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
was:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
http://localhost:8080/wicket/resource/int/wicket.properties,/
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Peter Ertl (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216498#comment-13216498 ]
Peter Ertl commented on WICKET-4430:
------------------------------------
made extension iterator in 6.0 more safe by replacing 'comma-separated-extensions-spring' with Iterable<String>
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Description:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/ritten/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
was:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/ritten/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
localhost:8080/myapp/resources/int/wicket.properties,xml
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/ritten/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Reopened] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Peter Ertl (Reopened) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl reopened WICKET-4430:
--------------------------------
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) test 2
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4430:
-------------------------------
Comment: was deleted
(was: made extension iterator in 6.0 more safe by replacing 'comma-separated-extensions-spring' with Iterable<String>)
> test 2
> ------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Wish
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Peter Ertl (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl resolved WICKET-4430.
--------------------------------
Resolution: Invalid
Fix Version/s: (was: 1.5.5)
(was: 1.4.20)
(was: 6.0.0)
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215752#comment-13215752 ]
Sebastiaan van Erk commented on WICKET-4430:
--------------------------------------------
I just discovered that if you request /resources/int/ it actually gives you a directory listing of the root folder of the war (if it is unpacked).
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/ritten/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4430:
-------------------------------
Affects Version/s: 6.0.0
Assignee: Peter Ertl
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) test 2
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4430:
-------------------------------
Component/s: (was: wicket)
Description: (was: Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
http://localhost:8080/wicket/resource/int/wicket.properties,/bla/)
Priority: Trivial (was: Critical)
Affects Version/s: (was: 1.5.4)
(was: 1.4.18)
(was: 6.0.0)
Issue Type: Wish (was: Bug)
Summary: test 2 (was: By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application)
> test 2
> ------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Wish
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) test 2
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4430:
-------------------------------
Comment: was deleted
(was: thanks for reporting, sebastiaan!
the problem was that the resource anchor class was a java primitive (e.g. int, float) that effectively links to the default (or better, null) package ... should be fixed in current trunk for 1.4, 1.5 and 6.0 ... please verify and confirm)
> test 2
> ------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Wish
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Description:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
http://localhost:8080/wicket/resource/int/%2Fwicket.properties,/
was:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
Affects Version/s: 1.5.4
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/%2Fwicket.properties,/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Description:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/ritten/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
localhost:8080/myapp/resources/int/wicket.properties,xml
was:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/ritten/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-1427 this allows arbitrary resources to be downloaded, i.e., like this:
localhost:8080/myapp/resources/int/wicket.properties,xml
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/ritten/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> localhost:8080/myapp/resources/int/wicket.properties,xml
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Peter Ertl (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl resolved WICKET-4430.
--------------------------------
Resolution: Fixed
Fix Version/s: 6.0.0
1.5.5
1.4.20
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Description:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
http://localhost:8080/wicket/resource/int/wicket.properties,/
was:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
http://localhost:8080/wicket/resource/int/%2Fwicket.properties,/
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) test 2
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Comment: was deleted
(was: I just discovered that if you request /resources/int/ it actually gives you a directory listing of the root folder of the war (if it is unpacked).)
> test 2
> ------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Wish
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Peter Ertl (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216186#comment-13216186 ]
Peter Ertl commented on WICKET-4430:
------------------------------------
thanks for reporting, sebastiaan!
the problem was that the resource anchor class was a java primitive (e.g. int, float) that effectively links to the default (or better, null) package ... should be fixed in current trunk for 1.4, 1.5 and 6.0 ... please verify and confirm
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18, 1.5.4, 6.0.0
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
> Fix For: 1.4.20, 1.5.5, 6.0.0
>
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
> In wicket 1.5.4 I've succeeded in getting the wicket.properties file as follows:
> http://localhost:8080/wicket/resource/int/wicket.properties,/bla/
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4430) By using int as the scope, it is
possible to read arbitrary resources from the classpath of a wicket
application
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4430?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4430:
---------------------------------------
Description:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/myapp/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
was:
Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
http://localhost:8080/ritten/resources/int/myfile.txt
access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
http://localhost:8080/myapp/resources/int/wicket.properties,xml
> By using int as the scope, it is possible to read arbitrary resources from the classpath of a wicket application
> ----------------------------------------------------------------------------------------------------------------
>
> Key: WICKET-4430
> URL: https://issues.apache.org/jira/browse/WICKET-4430
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.4.18
> Reporter: Sebastiaan van Erk
> Priority: Critical
>
> Using "int" as scope, it is possible to access arbitrary resources in from the classpath of a wicket application, for example, using the url:
> http://localhost:8080/myapp/resources/int/myfile.txt
> access the myfile.txt in the root of the classpath. Combined with WICKET-4427 this allows arbitrary resources to be downloaded, i.e., like this:
> http://localhost:8080/myapp/resources/int/wicket.properties,xml
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira