You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tapestry.apache.org by "Geoff Callender (JIRA)" <ji...@apache.org> on 2009/12/03 06:39:20 UTC

[jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785188#action_12785188 ] 

Geoff Callender commented on TAP5-815:
--------------------------------------

Hey Robert,

I haven't had a chance to review the AssetProtectionDispatcher, but can you confirm its default setup matches the following bits of the servlet spec? I think the servlet spec describes the behaviour that developers would reasonably expect, regardless of the fact that T5 doesn't use servlets.

1. ALWAYS deny clients access to WEB-INF: 

"any requests from the client to access the resources in WEB-INF/ directory must be returned with a SC_NOT_FOUND(404) response." (Servlet Spec 2.4 section 9.5)

2. ALWAYS deny clients access to META-INF: 

"any requests to access the resources in META-INF directory must be returned with a SC_NOT_FOUND(404) response." (Servlet spec 2.4 section 9.6)

3. By default, allow access to static resources: 

"Web containers are required to support access to web resources by clients that have not authenticated themselves to the container. This is the common mode of access to web resources on the Internet." (Servlet Spec 2.4 section 12.7)

If resources such as .tml files need to be hidden then either move them into WEB-INF/classes (which I'd argue is where they belong anyway as they are a non-configurable part of the app) or blacklist them.

As for displaying index pages as the client traverses the resources, I think we're all agreed it's wrong.

Geoff

> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
>                 Key: TAP5-815
>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions: 5.1.0.5
>            Reporter: Thiago H. de Paula Figueiredo
>            Assignee: Robert Zeigler
>            Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.