You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by pe...@apache.org on 2012/02/25 02:01:59 UTC

git commit: WICKET-4432: Possible to escape from package resource scope by inserting escaped slash (%2F)

Updated Branches:
  refs/heads/wicket-1.5.x 3783e6ecb -> 667ae4a5f


WICKET-4432: Possible to escape from package resource scope by inserting escaped slash (%2F)


Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/667ae4a5
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/667ae4a5
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/667ae4a5

Branch: refs/heads/wicket-1.5.x
Commit: 667ae4a5fc4c756112de98c8aed601b8b3a956ec
Parents: 3783e6e
Author: Peter Ertl <pe...@apache.org>
Authored: Sat Feb 25 02:01:49 2012 +0100
Committer: Peter Ertl <pe...@apache.org>
Committed: Sat Feb 25 02:01:49 2012 +0100

----------------------------------------------------------------------
 .../mapper/BasicResourceReferenceMapper.java       |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/wicket/blob/667ae4a5/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
index 09b22d2..8e5e21f 100755
--- a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
+++ b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
@@ -32,6 +32,7 @@ import org.apache.wicket.request.resource.ResourceReference;
 import org.apache.wicket.request.resource.caching.IResourceCachingStrategy;
 import org.apache.wicket.request.resource.caching.ResourceUrl;
 import org.apache.wicket.util.IProvider;
+import org.apache.wicket.util.crypt.StringUtils;
 import org.apache.wicket.util.lang.WicketObjects;
 import org.apache.wicket.util.string.Strings;
 import org.slf4j.Logger;
@@ -94,6 +95,12 @@ class BasicResourceReferenceMapper extends AbstractResourceReferenceMapper
 			{
 				String segment = url.getSegments().get(i);
 
+				// ignore invalid segments
+				if (segment.contains("/"))
+				{
+					return null;
+				}
+
 				// remove caching information
 				if (i + 1 == segmentsSize && Strings.isEmpty(segment) == false)
 				{