You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by pe...@apache.org on 2012/02/25 02:01:59 UTC
git commit: WICKET-4432: Possible to escape from package resource
scope by inserting escaped slash (%2F)
Updated Branches:
refs/heads/wicket-1.5.x 3783e6ecb -> 667ae4a5f
WICKET-4432: Possible to escape from package resource scope by inserting escaped slash (%2F)
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/667ae4a5
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/667ae4a5
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/667ae4a5
Branch: refs/heads/wicket-1.5.x
Commit: 667ae4a5fc4c756112de98c8aed601b8b3a956ec
Parents: 3783e6e
Author: Peter Ertl <pe...@apache.org>
Authored: Sat Feb 25 02:01:49 2012 +0100
Committer: Peter Ertl <pe...@apache.org>
Committed: Sat Feb 25 02:01:49 2012 +0100
----------------------------------------------------------------------
.../mapper/BasicResourceReferenceMapper.java | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/667ae4a5/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
----------------------------------------------------------------------
diff --git a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
index 09b22d2..8e5e21f 100755
--- a/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
+++ b/wicket-core/src/main/java/org/apache/wicket/request/mapper/BasicResourceReferenceMapper.java
@@ -32,6 +32,7 @@ import org.apache.wicket.request.resource.ResourceReference;
import org.apache.wicket.request.resource.caching.IResourceCachingStrategy;
import org.apache.wicket.request.resource.caching.ResourceUrl;
import org.apache.wicket.util.IProvider;
+import org.apache.wicket.util.crypt.StringUtils;
import org.apache.wicket.util.lang.WicketObjects;
import org.apache.wicket.util.string.Strings;
import org.slf4j.Logger;
@@ -94,6 +95,12 @@ class BasicResourceReferenceMapper extends AbstractResourceReferenceMapper
{
String segment = url.getSegments().get(i);
+ // ignore invalid segments
+ if (segment.contains("/"))
+ {
+ return null;
+ }
+
// remove caching information
if (i + 1 == segmentsSize && Strings.isEmpty(segment) == false)
{