Correct, I had to actually go back and scan through the class since it's been a year since I've even looked at it!
ImageResource derives from DynamicWebResource. So, in the getResourceState() method I hard-coded a line that tests for a specific path (i.e. "C:\\MyApp\\assets\\images") - if it does not contain it I feed an alternate image into it that says "Resource could not be found...etc.". Hopefully this ensures that as long as there are nothing but images in the path being tested for, there should be no risk of someone discovering other resources outside of that path, correct? Does this seem safe enough? Thanks again, very helpful!! Eelco Hillenius wrote: > >> I don't see how I'd be able to do that sort of path? I need to provide >> the >> full path for the reference to be found, since it's an external resource. >> Obviously, I get a NullPointerException if I just type in what you show >> in >> your example. > > You have imageResource registered as a shared resource, right? Unless > I'm missing something, that class is something you or your collegues > created yourselves, and it reads the "file" parameter to determine > what needs to be served. All I'm proposing is to prepend whatever that > file parameter returns with your base directory (just C:\ here). > >> I must be missing something. Either way, this could be a huge security >> problem as I store other "assets" in these folders that definitely do >> *not* >> want users discovering or gaining access to. > > Have that imageResource implementation check that the resource may be > accessed. Deny by default. You're potentially opening up your whole > server if you don't so be very careful with this. > > Eelco > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > -- View this message in context: http://www.nabble.com/Displaying-images-remotely---HTML-email-tf4535313.html#a12949524 Sent from the Wicket - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
