Wicket
  1. Wicket
  2. WICKET-5319

CryptoMapper encrypts external URLs in ResourceReferences making the resources inaccessible

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 6.9.1
    • Fix Version/s: 6.11.0, 7.0.0-M1
    • Component/s: None
    • Labels:
      None
    • Environment:
      Linux

      Description

      Short Description:

      CryptoMapper encrypts links to resources with URLs of the form:

      Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

      The problem occurs when JavaScript resources are included in the following way:

      @Override
      public void renderHead(IHeaderResponse response)

      { super.renderHead(response); UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js")); response.render(reference); }

      The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

      This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

      response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");

      Ways to reproduce:

      A code example for wicket-examples is attached (example.zip)
      Local URLs:
      http://localhost:8080/enc/index
      http://localhost:8080/unenc/index

      Possible fix:

      • disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

      (

      • define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
        )

      Thank you

      1. 5319.tar.gz
        19 kB
        Walter B. Rasmann

        Activity

        Hide
        Walter B. Rasmann added a comment -

        code example (runable in wicket-examples)

        Show
        Walter B. Rasmann added a comment - code example (runable in wicket-examples)
        Hide
        Sven Meier added a comment -

        Please attach a runnable quickstart, thanks!

        Show
        Sven Meier added a comment - Please attach a runnable quickstart, thanks!
        Hide
        Walter B. Rasmann added a comment -

        Quickstart added

        Show
        Walter B. Rasmann added a comment - Quickstart added
        Hide
        Sven Meier added a comment -

        I've changed CryptoMapper to not touch full Urls.

        There might be other cases still failing with UrlResourceReference pointing to resources on the same server but outside of Wicket.
        But the supplied quickstart works fine now.

        Show
        Sven Meier added a comment - I've changed CryptoMapper to not touch full Urls. There might be other cases still failing with UrlResourceReference pointing to resources on the same server but outside of Wicket. But the supplied quickstart works fine now.
        Hide
        Walter B. Rasmann added a comment -

        Thank you very much. I will test my code with a snapshot as soon as possible.

        Show
        Walter B. Rasmann added a comment - Thank you very much. I will test my code with a snapshot as soon as possible.

          People

          • Assignee:
            Sven Meier
            Reporter:
            Walter B. Rasmann
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development