Re: FilenameWithVersionResourceCachingStrategy accepts (almost) any string as a version

Mon, 25 May 2020 12:02:31 -0700 

I think the point of this version decoration is not to ensure a
particular version is requested, because typically only one version of
a file is available in the application.

The point is instead to defeat any caching, both in the browser and by
proxies, which might serve the user an outdated version. So I don't
think there needs to be any checking of that string.

Or is there an actual security impact that I'm missing?

Carl-Eric

On Mon, 25 May 2020 20:47:36 +0200
Daniel Stoch <daniel.st...@gmail.com> wrote:

> Hi,
> 
> Each resource in Wicket is decorated using a version string in a file
> name by default. It is implemented in
> FilenameWithVersionResourceCachingStrategy. Depending on DEVELOPMENT
> or DEPLOYMENT mode it looks like:
> jquery-ver-1590158412000.css
> jquery-ver-F334A4E46CB37347CAB42E2B1A45897C.css
> 
> There is a small security issue, that this strategy does not check if
> this version is correctly calculated for specific resource and accepts
> any string as a version identifier, eg.:
> jquery-ver-F334A4E46CB37347CAB42E2B1A45897C_old.css
> jquery-ver-F334A4E46CB37347CAB42E2B1A45897C_bakup.css
> jquery-ver-XYZABCDEF.css
> etc.
> 
> Maybe we should add a check if version passed in request is correct?
> There is partially such check done in decorateResponse() method. So
> maybe it is enough to add else block here and raise some exception?
> 
> @Override
> public void decorateResponse(AbstractResource.ResourceResponse
> response, IStaticCacheableResource resource) {
>   String requestedVersion =
> RequestCycle.get().getMetaData(URL_VERSION); String calculatedVersion
> = this.resourceVersion.getVersion(resource); if (calculatedVersion !=
> null && calculatedVersion.equals(requestedVersion))
> { response.setCacheDurationToMaximum();
> response.setCacheScope(WebResponse.CacheScope.PUBLIC); }
> }
> 
> --
> Best regards,
> Daniel Stoch
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
> For additional commands, e-mail: users-h...@wicket.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org
For additional commands, e-mail: users-h...@wicket.apache.org

Reply via email to