Wicket
  1. Wicket
  2. WICKET-1728

remove obsolete check from LocalizedImageResource

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.3.5, 1.4-RC1
    • Component/s: wicket
    • Labels:
      None

      Description

      LocalizedImageResource contains an unnecessary check for parent-relative resources that is not needed anymore:

      WicketRuntimeException: "The 'src' attribute must not contain
      any of the following strings: '..', './', '/.': ........

      Since WICKET-1428 was successfully closed wicket can handle parent-relative (..) links (in both 1.3 and 1.4).

      So please remove this check:

      org.apache.wicket.markup.html.image.resource.LocalizedImageResource:

      private void loadStaticImage(final String path)
      {
      if ((path.indexOf("..") != -1) || (path.indexOf("./") != -1) || (path.indexOf("/.") != -1))

      { throw new WicketRuntimeException( "The 'src' attribute must not contain any of the following strings: '..', './', '/.': path=" + path); }

      // .... SNIP ....
      }

      I did several tests with 1.3 and 1.4. Everything works like a charm now (once that nasty check is away

      1. wicket-1728-for-1.3.x.patch
        3 kB
        Peter Ertl
      2. wicket-1728-for-1.4.x.patch
        3 kB
        Peter Ertl

        Activity

        Igor Vaynberg made changes -
        Status Open [ 1 ] Resolved [ 5 ]
        Fix Version/s 1.4-M4 [ 12313295 ]
        Fix Version/s 1.3.5 [ 12313175 ]
        Resolution Fixed [ 1 ]
        Igor Vaynberg made changes -
        Assignee Igor Vaynberg [ ivaynberg ]
        Peter Ertl made changes -
        Attachment wicket-1728-for-1.4.x.patch [ 12385847 ]
        Attachment wicket-1728-for-1.3.x.patch [ 12385846 ]
        Peter Ertl made changes -
        Attachment wicket-1.4.x.patch [ 12385189 ]
        Peter Ertl made changes -
        Attachment wicket-1.3.x.patch [ 12385188 ]
        Peter Ertl made changes -
        Description LocalizedImageResource contains an unnecessary check that is not needed anymore:

        When you try this:

          JAVA

            add(new Image("icon"));

          HTML

           <img wicket:id="icon" src="../../images/icon.gif"/>


        You will fail with

           WicketRuntimeException: "The 'src' attribute must not contain any of the following strings: '..', './', '/.': ........



        After some investigation I found that

          org.apache.wicket.markup.html.image.resource.LocalizedImageResource

        contains the following check:


        private void loadStaticImage(final String path)
        {
        if ((path.indexOf("..") != -1) || (path.indexOf("./") != -1) || (path.indexOf("/.") != -1))
        {
        throw new WicketRuntimeException(
        "The 'src' attribute must not contain any of the following strings: '..', './', '/.': path=" +
        path);
        }

                // SNIP

        final Class scope = parent.getClass();
        resourceReference = new ResourceReference(scope, path)
        {
        // SNIP
        };
        // SNIP
        }


        As some wicket devs will probably remember wicket couldn't handle parent-relative (..) links in the past. However, since WICKET-1428 was applied successfully this now works in 1.3 and 1.4. I removed the check and could successfully test the above example.

          The image link will looks like this:

            resources/testapp.pages.TestPage/$up$/$up$/images/icon.gif

          See https://issues.apache.org/jira/browse/WICKET-1428 for details.


        So please remove that obsolete check (patches are included).
        LocalizedImageResource contains an unnecessary check for parent-relative resources that is not needed anymore:

          WicketRuntimeException: "The 'src' attribute must not contain
          any of the following strings: '..', './', '/.': ........

        Since WICKET-1428 was successfully closed wicket can handle parent-relative (..) links (in both 1.3 and 1.4).

        So please remove this check:

          org.apache.wicket.markup.html.image.resource.LocalizedImageResource:

          private void loadStaticImage(final String path)
          {
        if ((path.indexOf("..") != -1) || (path.indexOf("./") != -1) || (path.indexOf("/.") != -1))
        {
        throw new WicketRuntimeException(
        "The 'src' attribute must not contain any of the following strings: '..', './', '/.': path=" + path);
        }

              // .... SNIP ....
          }


        I did several tests with 1.3 and 1.4. Everything works like a charm now (once that nasty check is away :-)
        Peter Ertl made changes -
        Description When you try this:

          JAVA

            add(new Image("icon"));

          HTML

           <img wicket:id="icon" src="../../images/icon.gif"/>


        You will fail with

           WicketRuntimeException: "The 'src' attribute must not contain any of the following strings: '..', './', '/.': ........



        After some investigation I found that

          org.apache.wicket.markup.html.image.resource.LocalizedImageResource

        contains the following check:


        private void loadStaticImage(final String path)
        {
        if ((path.indexOf("..") != -1) || (path.indexOf("./") != -1) || (path.indexOf("/.") != -1))
        {
        throw new WicketRuntimeException(
        "The 'src' attribute must not contain any of the following strings: '..', './', '/.': path=" +
        path);
        }

                // SNIP

        final Class scope = parent.getClass();
        resourceReference = new ResourceReference(scope, path)
        {
        // SNIP
        };
        // SNIP
        }


        As some wicket devs will probably remember wicket couldn't handle parent-relative (..) links in the past. However, since WICKET-1428 was applied successfully this now works in 1.3 and 1.4. I removed the check and could successfully test the above example.

          The image link will looks like this:

            resources/testapp.pages.TestPage/$up$/$up$/images/icon.gif

          See https://issues.apache.org/jira/browse/WICKET-1428 for details.


        So please remove that obsolete check (patches are included).
        LocalizedImageResource contains an unnecessary check that is not needed anymore:

        When you try this:

          JAVA

            add(new Image("icon"));

          HTML

           <img wicket:id="icon" src="../../images/icon.gif"/>


        You will fail with

           WicketRuntimeException: "The 'src' attribute must not contain any of the following strings: '..', './', '/.': ........



        After some investigation I found that

          org.apache.wicket.markup.html.image.resource.LocalizedImageResource

        contains the following check:


        private void loadStaticImage(final String path)
        {
        if ((path.indexOf("..") != -1) || (path.indexOf("./") != -1) || (path.indexOf("/.") != -1))
        {
        throw new WicketRuntimeException(
        "The 'src' attribute must not contain any of the following strings: '..', './', '/.': path=" +
        path);
        }

                // SNIP

        final Class scope = parent.getClass();
        resourceReference = new ResourceReference(scope, path)
        {
        // SNIP
        };
        // SNIP
        }


        As some wicket devs will probably remember wicket couldn't handle parent-relative (..) links in the past. However, since WICKET-1428 was applied successfully this now works in 1.3 and 1.4. I removed the check and could successfully test the above example.

          The image link will looks like this:

            resources/testapp.pages.TestPage/$up$/$up$/images/icon.gif

          See https://issues.apache.org/jira/browse/WICKET-1428 for details.


        So please remove that obsolete check (patches are included).
        Peter Ertl made changes -
        Field Original Value New Value
        Attachment wicket-1.3.x.patch [ 12385188 ]
        Attachment wicket-1.4.x.patch [ 12385189 ]
        Peter Ertl created issue -

          People

          • Assignee:
            Igor Vaynberg
            Reporter:
            Peter Ertl
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development