tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Geoff Callender (JIRA)" <j...@apache.org>
Subject [jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
Date Thu, 03 Dec 2009 05:39:20 GMT

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785188#action_12785188
] 

Geoff Callender commented on TAP5-815:
--------------------------------------

Hey Robert,

I haven't had a chance to review the AssetProtectionDispatcher, but can you confirm its default
setup matches the following bits of the servlet spec? I think the servlet spec describes the
behaviour that developers would reasonably expect, regardless of the fact that T5 doesn't
use servlets.

1. ALWAYS deny clients access to WEB-INF: 

"any requests from the client to access the resources in WEB-INF/ directory must be returned
with a SC_NOT_FOUND(404) response." (Servlet Spec 2.4 section 9.5)

2. ALWAYS deny clients access to META-INF: 

"any requests to access the resources in META-INF directory must be returned with a SC_NOT_FOUND(404)
response." (Servlet spec 2.4 section 9.6)

3. By default, allow access to static resources: 

"Web containers are required to support access to web resources by clients that have not authenticated
themselves to the container. This is the common mode of access to web resources on the Internet."
(Servlet Spec 2.4 section 12.7)

If resources such as .tml files need to be hidden then either move them into WEB-INF/classes
(which I'd argue is where they belong anyway as they are a non-configurable part of the app)
or blacklist them.

As for displaying index pages as the client traverses the resources, I think we're all agreed
it's wrong.

Geoff

> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
>                 Key: TAP5-815
>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions: 5.1.0.5
>            Reporter: Thiago H. de Paula Figueiredo
>            Assignee: Robert Zeigler
>            Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css.
If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside
the webapp root is shown. It gives you the hint at downloading any file you want, including
anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message