Wicket
  1. Wicket
  2. WICKET-5319

CryptoMapper encrypts external URLs in ResourceReferences making the resources inaccessible

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 6.9.1
    • Fix Version/s: 6.11.0, 7.0.0-M1
    • Component/s: None
    • Labels:
      None
    • Environment:
      Linux

      Description

      Short Description:

      CryptoMapper encrypts links to resources with URLs of the form:

      Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

      The problem occurs when JavaScript resources are included in the following way:

      @Override
      public void renderHead(IHeaderResponse response)

      { super.renderHead(response); UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js")); response.render(reference); }

      The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

      This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

      response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");

      Ways to reproduce:

      A code example for wicket-examples is attached (example.zip)
      Local URLs:
      http://localhost:8080/enc/index
      http://localhost:8080/unenc/index

      Possible fix:

      • disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

      (

      • define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
        )

      Thank you

      1. 5319.tar.gz
        19 kB
        Walter B. Rasmann

        Activity

        Walter B. Rasmann created issue -
        Walter B. Rasmann made changes -
        Field Original Value New Value
        Attachment jsref.tar.gz [ 12598430 ]
        Walter B. Rasmann made changes -
        Attachment jsref.tar.gz [ 12598430 ]
        Walter B. Rasmann made changes -
        Attachment 5319.tar.gz [ 12598731 ]
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/jsref/enc/index
             http://localhost:8080/jsref/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code:java}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {code:java}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {code}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {noformat}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {noformat}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Walter B. Rasmann made changes -
        Description Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        {noformat}
        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }
        {noformat}

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        {code}
        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");
        {code}

        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Short Description:

        CryptoMapper encrypts links to resources with URLs of the form:
         - http://domain/path/script.js
         - /local/absolute/path/script.js

        Additionally there might be some inconsistencies in handling URLs in instances of ResourceReference.

        The problem occurs when JavaScript resources are included in the following way:

        @Override
        public void renderHead(IHeaderResponse response)
        {
        super.renderHead(response);

        UrlResourceReference reference = new UrlResourceReference(Url.parse("http://domain/path/script.js"));
        response.render(reference);
        }

        The resulting JavaScript links can't be loaded (404 is returned) when CryptoMapper is used.

        This is a minor problem, because the following always works for JavaScript files not served by Wicket ("external JavaScript files"):

        response.render(new StringHeaderItem("<script type=\"text/javascript\" src=\"//domain/myPath/manual.js\"></script>");


        Ways to reproduce:

          A code example for wicket-examples is attached (example.zip)
          Local URLs:
             http://localhost:8080/enc/index
             http://localhost:8080/unenc/index


        Possible fix:

         - disable encryption for URLs beginning with '/', '<schema>://' and '//' and not served/filtered by Wicket

         (
         - define different reference classes for external files and files served/filtered by Wicket, issue warnings when a wrong URL type is supplied by the user or treat URLs beginning with '/', '<schema>://' and '//' differently
         )

        Thank you
        Sven Meier made changes -
        Status Open [ 1 ] Closed [ 6 ]
        Assignee Sven Meier [ svenmeier ]
        Fix Version/s 7.0.0 [ 12322958 ]
        Fix Version/s 6.11.0 [ 12324874 ]
        Resolution Fixed [ 1 ]

          People

          • Assignee:
            Sven Meier
            Reporter:
            Walter B. Rasmann
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development