tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulrich Stärk (JIRA) <j...@apache.org>
Subject [jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
Date Wed, 26 Aug 2009 08:13:59 GMT

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747826#action_12747826

Ulrich Stärk commented on TAP5-815:

In 5.2-SNAPSHOT you can still access files located on the classpath or in the webapp context,
except for .class und .tml files in the classpath (due to ResourceDigestGenerator). .tml files
in the context are still accessible. There is no directory listing though. So this also partly
applies to the current development tree.

The problem here is that Tapestry is using a blacklisting approach: It allows all access unless
otherwise specified, for example by contributing to the ResourceDigestGenerator. This principle
is unsecure by design. Instead Tapestry should do whitelisting, i.e. only allow access to
explicitly allowed resources. Since Tapestry already knows about all the Assets required by
a page or component (by looking at the @Path, @IncludeJavaScriptLibrary and @IncludeStylesheet
annotations and the context: and asset: binding prefixes), such a whitelisting approach could
be realized: Just allow access to Assets really required by pages or components.

> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>                 Key: TAP5-815
>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions:
>            Reporter: Thiago H. de Paula Figueiredo
>            Priority: Blocker
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css.
If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside
the webapp root is shown. It gives you the hint at downloading any file you want, including
anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message