WICKET-7024 URL parameters sanitization

wicket-core-tests/src/test/java/org/apache/wicket/core/util/resource/locator/CachingResourceStreamLocatorTest.java

@@ -168,7 +168,7 @@ void fileResource()
 		FileResourceStream frs = new FileResourceStream(new File("."));
 
 		when(resourceStreamLocator.locate(String.class, "path", "style", "variation", null,
-			"extension", true)).thenReturn(frs);
+			"extension", true, true)).thenReturn(frs);
 
 		CachingResourceStreamLocator cachingLocator = new CachingResourceStreamLocator(
 			resourceStreamLocator);
@@ -178,7 +178,7 @@ void fileResource()
 
 		// there is a file resource with that Key so expect just one call to the delegate
 		verify(resourceStreamLocator, times(1)).locate(String.class, "path", "style", "variation",
-			null, "extension", true);
+			null, "extension", true, true);
 	}
 
 	/**
@@ -192,7 +192,7 @@ void fileResourceDifferentExtensions()
 		FileResourceStream frs = new FileResourceStream(new File("."));
 
 		when(resourceStreamLocator.locate(String.class, "path", "style", "variation", null,
-			"extension", true)).thenReturn(frs);
+			"extension", true, true)).thenReturn(frs);
 
 		CachingResourceStreamLocator cachingLocator = new CachingResourceStreamLocator(
 			resourceStreamLocator);
@@ -203,9 +203,9 @@ void fileResourceDifferentExtensions()
 
 		// there is a file resource with that Key so expect just one call to the delegate
 		verify(resourceStreamLocator, times(1)).locate(String.class, "path", "style", "variation",
-			null, "extension", true);
+			null, "extension", true, true);
 		verify(resourceStreamLocator, times(1)).locate(String.class, "path", "style", "variation",
-			null, "extension2", true);
+			null, "extension2", true, true);
 	}
 
 	/**
@@ -244,7 +244,7 @@ void lightweightResource()
 		StringResourceStream srs = new StringResourceStream("anything");
 
 		when(resourceStreamLocator.locate(String.class, "path", "style", "variation", null,
-			"extension", true)).thenReturn(srs);
+			"extension", true, true)).thenReturn(srs);
 
 		CachingResourceStreamLocator cachingLocator = new CachingResourceStreamLocator(
 			resourceStreamLocator);
@@ -255,6 +255,6 @@ void lightweightResource()
 		// lightweight resource streams should not be cached so expect just a call to the delegate
 		// for each call to the caching locator
 		verify(resourceStreamLocator, times(2)).locate(String.class, "path", "style", "variation",
-			null, "extension", true);
+			null, "extension", true, true);
 	}
 }

wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/IResourceStreamLocator.java

@@ -64,10 +64,34 @@ public interface IResourceStreamLocator
 	 * @param strict
 	 *            whether the specified attributes must match exactly
 	 * @return The resource or null
+	 * @deprecated
 	 */
 	IResourceStream locate(Class<?> clazz, String path, String style, String variation,
 		Locale locale, String extension, boolean strict);
 
+	/**
+	 * Locate a resource by combining the given path, style, variation, locale and extension
+	 * parameters. The exact search order depends on the implementation.
+	 * 
+	 * @param clazz
+	 *            The class loader for delegating the loading of the resource
+	 * @param path
+	 *            The path of the resource
+	 * @param style
+	 *            Any resource style, such as a skin style (see {@link org.apache.wicket.Session})
+	 * @param variation
+	 *            The component's variation (of the style)
+	 * @param locale
+	 *            The locale of the resource to load
+	 * @param extension
+	 *            A comma separate list of extensions
+	 * @param strict
+	 *            whether the specified attributes must match exactly
+	 * @return The resource or null
+	 */
+	IResourceStream locate(Class<?> clazz, String path, String style, String variation,
+		Locale locale, String extension, boolean strict, boolean updateCache);
+
 	/**
 	 * Markup resources and Properties files both need to iterate over different combinations of
 	 * locale, style, etc.. And though no single locate(..) method exists which is used by both,

wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/ResourceStreamLocator.java

@@ -140,10 +140,25 @@ public IResourceStream locate(final Class<?> clazz, final String path)
 	 * @see org.apache.wicket.core.util.resource.locator.IResourceStreamLocator#locate(java.lang.Class,
 	 *      java.lang.String, java.lang.String, java.lang.String, java.util.Locale,
 	 *      java.lang.String, boolean)
+	 * @deprecated
 	 */
 	@Override
 	public IResourceStream locate(final Class<?> clazz, String path, final String style,
 		final String variation, Locale locale, final String extension, final boolean strict)
+	{
+		return locate(clazz, path, style, variation, locale, extension, strict, true);
+	}
+
+	/**
+	 * 
+	 * @see org.apache.wicket.core.util.resource.locator.IResourceStreamLocator#locate(java.lang.Class,
+	 *      java.lang.String, java.lang.String, java.lang.String, java.util.Locale,
+	 *      java.lang.String, boolean)
+	 */
+	@Override
+	public IResourceStream locate(final Class<?> clazz, String path, final String style,
+		final String variation, Locale locale, final String extension, final boolean strict,
+		boolean updateCache)
 	{
 		// If path contains a locale, then it'll replace the locale provided to this method
 		PathLocale data = ResourceUtils.getLocaleFromFilename(path);

wicket-core/src/main/java/org/apache/wicket/core/util/resource/locator/caching/CachingResourceStreamLocator.java

@@ -109,19 +109,32 @@ else if (stream instanceof UrlResourceStream)
 		}
 	}
 
+	/**
+	 * @deprecated
+	 */
 	@Override
 	public IResourceStream locate(Class<?> scope, String path, String style, String variation,
 		Locale locale, String extension, boolean strict)
+	{
+		return locate(scope, path, style, variation, locale, extension, strict, true);
+	}
+
+	@Override
+	public IResourceStream locate(Class<?> scope, String path, String style, String variation,
+		Locale locale, String extension, boolean strict, boolean updateCache)
 	{
 		CacheKey key = new CacheKey(scope.getName(), path, extension, locale, style, variation, strict);
 		IResourceStreamReference resourceStreamReference = cache.get(key);
 
 		final IResourceStream result;
 		if (resourceStreamReference == null)
 		{
-			result = delegate.locate(scope, path, style, variation, locale, extension, strict);
+			result = delegate.locate(scope, path, style, variation, locale, extension, strict, updateCache);
 
-			updateCache(key, result);
+			if (updateCache)
+			{
+				updateCache(key, result);
+			}
 		}
 		else
 		{

wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResource.java

@@ -531,8 +531,8 @@ private ResourceResponse sendResourceError(ResourceResponse resourceResponse, in
 	@Override
 	public IResourceStream getResourceStream()
 	{
-		return internalGetResourceStream(getCurrentStyle(), getCurrentLocale());
- 	}
+		return internalGetResourceStream(getCurrentStyle(), getCurrentLocale(), isCachingEnabled());
+	}
 
 	/**
 	 * @return whether {@link org.apache.wicket.resource.ITextResourceCompressor} can be used to
@@ -552,13 +552,13 @@ public void setCompress(boolean compress)
 		this.compress = compress;
 	}
 
-	private IResourceStream internalGetResourceStream(final String style, final Locale locale)
+	private IResourceStream internalGetResourceStream(final String style, final Locale locale, boolean updateCache)
 	{
 		IResourceStreamLocator resourceStreamLocator = Application.get()
 			.getResourceSettings()
 			.getResourceStreamLocator();
 		IResourceStream resourceStream = resourceStreamLocator.locate(getScope(), absolutePath,
-			style, variation, locale, null, false);
+			style, variation, locale, null, false, updateCache);
 
 		String realPath = absolutePath;
 		if (resourceStream instanceof IFixedLocationResourceStream)
@@ -855,4 +855,5 @@ public PackageResource readBuffered(boolean readBuffered)
 		this.readBuffered = readBuffered;
 		return this;
 	}
+
 }

wicket-core/src/main/java/org/apache/wicket/request/resource/PackageResourceReference.java

@@ -18,6 +18,7 @@
 
 import static org.apache.wicket.util.resource.ResourceUtils.MIN_POSTFIX_DEFAULT_AS_EXTENSION;
 
+import java.io.IOException;
 import java.util.Locale;
 import java.util.concurrent.ConcurrentMap;
 
@@ -123,11 +124,41 @@ public PackageResource getResource()
 			urlAttributes = ResourceUtil.decodeResourceReferenceAttributes(url);
 		}
 
-		final String currentVariation = getCurrentVariation(urlAttributes);
-		final String currentStyle = getCurrentStyle(urlAttributes);
-		final Locale currentLocale = getCurrentLocale(urlAttributes);
-		final Class<?> scope = getScope();
-		final String name = getName();
+		String currentVariation = getCurrentVariation(urlAttributes);
+		String currentStyle = getCurrentStyle(urlAttributes);
+		Locale currentLocale = getCurrentLocale(urlAttributes);
+		Class<?> scope = getScope();
+		String name = getName();
+
+		if (urlAttributes != null) // sanitize
+		{
+			PackageResource urlResource = new PackageResource(scope, name, currentLocale,
+				currentStyle, currentVariation);
+			urlResource.setCachingEnabled(false);
+			IResourceStream filesystemMatch = urlResource.getResourceStream();
+
+			ResourceReference.Key urlKey = new ResourceReference.Key(scope.getName(), name,
+				currentLocale, currentStyle, currentVariation);
+
+			ResourceReference.Key filesystemKey = new ResourceReference.Key(scope.getName(), name,
+				filesystemMatch.getLocale(), filesystemMatch.getStyle(),
+				filesystemMatch.getVariation());
+
+			if (!urlKey.equals(filesystemKey))
+			{
+				currentLocale = filesystemKey.getLocale();
+				currentStyle = filesystemKey.getStyle();
+				currentVariation = filesystemKey.getVariation();
+			}
+			try
+			{
+				filesystemMatch.close();
+			}
+			catch (IOException e)
+			{
+				log.error("failed to close", e);
+			}
+		}
 
 		if (CSS_EXTENSION.equals(extension))
 		{