Wicket
  1. Wicket
  2. WICKET-5319

CryptoMapper encrypts external URLs in ResourceReferences making the resources inaccessible

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 6.9.1
    • Fix Version/s: 6.11.0, 7.0.0-M1
    • Component/s: None
    • Labels:
      None
    • Environment:
      Linux

      Description

      Short Description:

      CryptoMapper encrypts links to resources with URLs of the form:

      Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

      The problem occurs when JavaScript resources are included in the following way:

      @Override
      public void renderHead(IHeaderResponse response)

      { super.renderHead(response); UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js")); response.render(reference); }

      The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

      This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

      response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");

      Ways to reproduce:

      A code example for wicket-examples is attached (example.zip)
      Local URLs:
      http://localhost:8080/enc/index
      http://localhost:8080/unenc/index

      Possible fix:

      • disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

      (

      • define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
        )

      Thank you

      1. 5319.tar.gz
        19 kB
        Walter B. Rasmann

        Activity

        Walter B. Rasmann created issue -
        Hide
        Walter B. Rasmann added a comment -

        code example (runable in wicket-examples)

        Show
        Walter B. Rasmann added a comment - code example (runable in wicket-examples)
        Walter B. Rasmann made changes -
        Field Original Value New Value
        Attachment jsref.tar.gz [ 12598430 ]
        Hide
        Sven Meier added a comment -

        Please attach a runnable quickstart, thanks!

        Show
        Sven Meier added a comment - Please attach a runnable quickstart, thanks!
        Walter B. Rasmann made changes -
        Attachment jsref.tar.gz [ 12598430 ]
        Hide
        Walter B. Rasmann added a comment -

        Quickstart added

        Show
        Walter B. Rasmann added a comment - Quickstart added
        Walter B. Rasmann made changes -
        Attachment 5319.tar.gz [ 12598731 ]
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/jsref/enc/index
             http://localhost:8080/jsref/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code:java}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code:java}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {noformat}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {noformat}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {noformat}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {noformat}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Hide
        Sven Meier added a comment -

        I've changed CryptoMapper to not touch full Urls.

        There might be other cases still failing with UrlResourceReference pointing to resources on the same server but outside of Wicket.
        But the supplied quickstart works fine now.

        Show
        Sven Meier added a comment - I've changed CryptoMapper to not touch full Urls. There might be other cases still failing with UrlResourceReference pointing to resources on the same server but outside of Wicket. But the supplied quickstart works fine now.
        Sven Meier made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Sven Meier [ svenmeier ]
        Fix Version/s 7.0.0 [ 12322958 ]
        Fix Version/s 6.11.0 [ 12324874 ]
        Resolution Fixed [ 1 ]
        Hide
        Walter B. Rasmann added a comment -

        Thank you very much. I will test my code with a snapshot as soon as possible.

        Show
        Walter B. Rasmann added a comment - Thank you very much. I will test my code with a snapshot as soon as possible.
        Transition Time In Source Status Execution Times Last Executer Last Execution Date
        Open Open Closed Closed
        5d 9h 16m 1 Sven Meier 21/Aug/13 22:24

          People

          • Assignee:
            Sven Meier
            Reporter:
            Walter B. Rasmann
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development