You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Kris Rasmussen <kr...@yahoo.com> on 2004/04/30 21:04:25 UTC
Asset Security Hole (cont from Re: Confusing error in production environment.)
After looking into it, it appears you can access any file in your classpath via the asset service(i'm sure people already know this). I find this to be horribly insecure, especially since there may be cases when the user may store some login information in a properties file or a class. Has anyone created a fix for this, such as restricting access only to files with a given extension or only those files declared explicitly as an asset in a jwc or page file? I am willing to make the necessary changes to the source if no one else is already working on it.
On a side note, I suspect the reason the I am getting the error on my site is because someone is trying to access the source to a js file inserted by tapestry, as that is the only asset I use. When you cut and paste the address that tapestry escapes into the html it won't work and will generate that error unless you modify it a bit.
Kris
Kris Rasmussen <kr...@yahoo.com> wrote:
I never thought about the possibility of the asset service creating a security vulnerability.... What exactly can the user access via the asset service??? This should definatly be resolved quickly if it is the case. I would have thought that the asset service restricts what it can access to what is declared in the page file.
Kris
Erik Hatcher wrote:
Perhaps someone is probing your site by manually hitting the
AssetService URL's?
Keep in mind that the AssetService does have a security vulnerability
unless you are using it with the externalization features enabled (and
even then, would there still be a hole? for some reason I think not,
but I'm now not sure). In other words, someone could use the
AssetService URL's to grab your .class files!
Erik
On Apr 30, 2004, at 12:57 AM, Kris Rasmussen wrote:
> Whever an error is generated on the site I have it is
> emailed to me. Every couple of days I get the error I
> pasted below. I can't imagine how it could be coming
> up??? How could the service asset be getting multiple
> parameters if I never call it directly other than
> through standard tapestry components? I am running
> rc3. I will try and switch over to version 3 release
> tonight.
>
> org.apache.tapestry.ApplicationRuntimeException:
> Service asset requires
> exactly one service parameter.
> at
> org.apache.tapestry.asset.AssetService.service(AssetService.java:137)
> at
> org.apache.tapestry.engine.AbstractEngine.service(AbstractEngine.java:
> 872)
> at
> org.apache.tapestry.ApplicationServlet.doService(ApplicationServlet.jav
> a:197)
> at
> org.apache.tapestry.ApplicationServlet.doGet(ApplicationServlet.java:
> 158)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
> at
> javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
> ati
> onFilterChain.java:284)
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
> ter
> Chain.java:204)
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
> ve.
> java:257)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
> ont
> ext.java:151)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
> 567)
> at
> org.apache.catalina.core.StandardContextValve.invokeInternal(StandardCo
> nte
> xtValve.java:245)
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
> ve.
> java:199)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
> ont
> ext.java:151)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
> 567)
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
> a:184)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
> ont
> ext.java:151)
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
> a:164)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
> ont
> ext.java:149)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
> 567)
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
> .ja
> va:156)
> at
> org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
> ont
> ext.java:151)
> at
> org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
> 567)
> at
> org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
> at
> org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
> at
> org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:339)
> at
> org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:415)
> at
> org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:716)
> at
> org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java
> :650)
> at
> org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:829)
> at
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
> l.j
> ava:688)
> at java.lang.Thread.run(Thread.java:534
>
>
>
>
> __________________________________
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
> http://hotjobs.sweepstakes.yahoo.com/careermakeover
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
---------------------------------
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
---------------------------------
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
Re: Asset Security Hole (cont from Re: Confusing error in production environment.)
Posted by Kris Rasmussen <kr...@yahoo.com>.
Ah, thanks, that was pretty obvious ;).
---------------------------------
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
Re: Asset Security Hole (cont from Re: Confusing error in production
environment.)
Posted by Jim Frederic <jf...@innodata-isogen.com>.
yes, I should've included that. See the <service> entry below. This is
the tapestry .application file
<?xml version="1.0"?>
<!DOCTYPE application PUBLIC
"-//Apache Software Foundation//Tapestry Specification 3.0//EN"
"http://jakarta.apache.org/tapestry/dtd/Tapestry_3_0.dtd">
<application name="foo" engine-class="optional.custom.Engine">
<property name="org.apache.tapestry.visit-class"
value="optional.custom.Visit"/>
<property name="org.apache.tapestry.global-class"
value="optional.custom.Global"/>
<property name="org.apache.tapestry.template-encoding"
value="ISO-8859-1"/>
<library id="contrib"
specification-path="/org/apache/tapestry/contrib/Contrib.library"/>
<service name="asset" class="my.custom.ImageOnlyAssetService"/>
</application>
Kris Rasmussen wrote:
> Thanks jim. Is there an easy way to plug a change like this into an existing tapestry application and have it replace the normal asset service without having to modify the tapestry source?
>
> Kris
>
> Jim Frederic <jf...@innodata-isogen.com> wrote:
> Here's the class I used to plug this asset hole. It extends the base
> AssetService, but only for assets whose name extends with image-type
> extensions. I'm sure you can make this more general, with runtime
> registerable extensions.
>
> -Jim
>
> import java.io.IOException;
> import java.util.ArrayList;
>
> import javax.servlet.ServletException;
>
> import org.apache.tapestry.IRequestCycle;
> import org.apache.tapestry.asset.AssetService;
> import org.apache.tapestry.engine.IEngineServiceView;
> import org.apache.tapestry.request.ResponseOutputStream;
>
> /**
> * Defines an asset service that only accepts image file requests.
> *
> */
> public class ImageOnlyAssetService extends AssetService {
> private static final org.apache.commons.logging.Log LOG =
> org.apache.commons.logging.LogFactory.getLog(ImageOnlyAssetService.class);
> private static ArrayList validExtensions;
>
> //to support a new graphic type, simply add to this list...
> static {
> validExtensions = new ArrayList(7);
> validExtensions.add("bmp");
> validExtensions.add("gif");
> validExtensions.add("jpeg");
> validExtensions.add("jpg");
> validExtensions.add("png");
> validExtensions.add("tif");
> validExtensions.add("tiff");
> }
>
> /**
> *
> */
> public ImageOnlyAssetService() {
> super();
> }
>
>
> public void service(
> IEngineServiceView engine,
> IRequestCycle cycle,
> ResponseOutputStream output)
> throws ServletException, IOException {
>
> Object[] parameters = getParameters(cycle);
> String resourcePath = (String) parameters[0];
> if (extensionIsValid(resourcePath)) {
> super.service(engine, cycle, output);
> } else {
> String hackerAddr =
> cycle.getRequestContext().getRequest().getRemoteAddr();
> LOG.info("Illegal access attempted through "+this.getClass().getName()
> +" for resource '"
> +resourcePath
> +"' from IP address '"
> +hackerAddr
> +"'.");
> }
> }
>
> /**
> * Validates the path with supported types.
> *
> * @param path to evaluate
> * @return true if path is valid, false otherwise.
> */
> boolean extensionIsValid(String path) {
> int i = path.lastIndexOf('.');
> if ((i > 0) && (i < path.length()-1)) {
> String ext = path.substring(i+1).toLowerCase();
> return validExtensions.contains(ext);
> }
> return false;
> }
> }
>
>
> Kris Rasmussen wrote:
>
>
>>After looking into it, it appears you can access any file in your classpath via the asset service(i'm sure people already know this). I find this to be horribly insecure, especially since there may be cases when the user may store some login information in a properties file or a class. Has anyone created a fix for this, such as restricting access only to files with a given extension or only those files declared explicitly as an asset in a jwc or page file? I am willing to make the necessary changes to the source if no one else is already working on it.
>>
>>On a side note, I suspect the reason the I am getting the error on my site is because someone is trying to access the source to a js file inserted by tapestry, as that is the only asset I use. When you cut and paste the address that tapestry escapes into the html it won't work and will generate that error unless you modify it a bit.
>>
>>Kris
>>
>>Kris Rasmussen wrote:
>>I never thought about the possibility of the asset service creating a security vulnerability.... What exactly can the user access via the asset service??? This should definatly be resolved quickly if it is the case. I would have thought that the asset service restricts what it can access to what is declared in the page file.
>>
>>Kris
>>
>>Erik Hatcher wrote:
>>Perhaps someone is probing your site by manually hitting the
>>AssetService URL's?
>>
>>Keep in mind that the AssetService does have a security vulnerability
>>unless you are using it with the externalization features enabled (and
>>even then, would there still be a hole? for some reason I think not,
>>but I'm now not sure). In other words, someone could use the
>>AssetService URL's to grab your .class files!
>>
>>Erik
>>
>>
>>On Apr 30, 2004, at 12:57 AM, Kris Rasmussen wrote:
>>
>>
>>
>>>Whever an error is generated on the site I have it is
>>>emailed to me. Every couple of days I get the error I
>>>pasted below. I can't imagine how it could be coming
>>>up??? How could the service asset be getting multiple
>>>parameters if I never call it directly other than
>>>through standard tapestry components? I am running
>>>rc3. I will try and switch over to version 3 release
>>>tonight.
>>>
>>>org.apache.tapestry.ApplicationRuntimeException:
>>>Service asset requires
>>>exactly one service parameter.
>>>at
>>>org.apache.tapestry.asset.AssetService.service(AssetService.java:137)
>>>at
>>>org.apache.tapestry.engine.AbstractEngine.service(AbstractEngine.java:
>>>872)
>>>at
>>>org.apache.tapestry.ApplicationServlet.doService(ApplicationServlet.jav
>>>a:197)
>>>at
>>>org.apache.tapestry.ApplicationServlet.doGet(ApplicationServlet.java:
>>>158)
>>>at
>>>javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
>>>at
>>>javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
>>>at
>>>org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>>>ati
>>>onFilterChain.java:284)
>>>at
>>>org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>>>ter
>>>Chain.java:204)
>>>at
>>>org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
>>>ve.
>>>java:257)
>>>at
>>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>>ont
>>>ext.java:151)
>>>at
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>>567)
>>>at
>>>org.apache.catalina.core.StandardContextValve.invokeInternal(StandardCo
>>>nte
>>>xtValve.java:245)
>>>at
>>>org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
>>>ve.
>>>java:199)
>>>at
>>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>>ont
>>>ext.java:151)
>>>at
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>>567)
>>>at
>>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
>>>a:184)
>>>at
>>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>>ont
>>>ext.java:151)
>>>at
>>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
>>>a:164)
>>>at
>>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>>ont
>>>ext.java:149)
>>>at
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>>567)
>>>at
>>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
>>>.ja
>>>va:156)
>>>at
>>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>>ont
>>>ext.java:151)
>>>at
>>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>>567)
>>>at
>>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
>>>at
>>>org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
>>>at
>>>org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:339)
>>>at
>>>org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:415)
>>>at
>>>org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:716)
>>>at
>>>org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java
>>>:650)
>>>at
>>>org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:829)
>>>at
>>>org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
>>>l.j
>>>ava:688)
>>>at java.lang.Thread.run(Thread.java:534
>>>
>>>
>>>
>>>
>>>__________________________________
>>>Do you Yahoo!?
>>>Win a $20,000 Career Makeover at Yahoo! HotJobs
>>>http://hotjobs.sweepstakes.yahoo.com/careermakeover
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>>
>>
>>---------------------------------
>>Do you Yahoo!?
>>Win a $20,000 Career Makeover at Yahoo! HotJobs
>>
>>---------------------------------
>>Do you Yahoo!?
>>Win a $20,000 Career Makeover at Yahoo! HotJobs
>
>
--
Jim Frederic
Innodata Isogen
9390 Research Blvd
Kaleido I, Suite 410
Austin, TX 78759
Tel: +(1) 512.372.8155
512.372.8122
Fax: +(1) 512.372.8133
Web: http://www.innodata-isogen.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
Re: Asset Security Hole (cont from Re: Confusing error in production environment.)
Posted by Kris Rasmussen <kr...@yahoo.com>.
Thanks jim. Is there an easy way to plug a change like this into an existing tapestry application and have it replace the normal asset service without having to modify the tapestry source?
Kris
Jim Frederic <jf...@innodata-isogen.com> wrote:
Here's the class I used to plug this asset hole. It extends the base
AssetService, but only for assets whose name extends with image-type
extensions. I'm sure you can make this more general, with runtime
registerable extensions.
-Jim
import java.io.IOException;
import java.util.ArrayList;
import javax.servlet.ServletException;
import org.apache.tapestry.IRequestCycle;
import org.apache.tapestry.asset.AssetService;
import org.apache.tapestry.engine.IEngineServiceView;
import org.apache.tapestry.request.ResponseOutputStream;
/**
* Defines an asset service that only accepts image file requests.
*
*/
public class ImageOnlyAssetService extends AssetService {
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(ImageOnlyAssetService.class);
private static ArrayList validExtensions;
//to support a new graphic type, simply add to this list...
static {
validExtensions = new ArrayList(7);
validExtensions.add("bmp");
validExtensions.add("gif");
validExtensions.add("jpeg");
validExtensions.add("jpg");
validExtensions.add("png");
validExtensions.add("tif");
validExtensions.add("tiff");
}
/**
*
*/
public ImageOnlyAssetService() {
super();
}
public void service(
IEngineServiceView engine,
IRequestCycle cycle,
ResponseOutputStream output)
throws ServletException, IOException {
Object[] parameters = getParameters(cycle);
String resourcePath = (String) parameters[0];
if (extensionIsValid(resourcePath)) {
super.service(engine, cycle, output);
} else {
String hackerAddr =
cycle.getRequestContext().getRequest().getRemoteAddr();
LOG.info("Illegal access attempted through "+this.getClass().getName()
+" for resource '"
+resourcePath
+"' from IP address '"
+hackerAddr
+"'.");
}
}
/**
* Validates the path with supported types.
*
* @param path to evaluate
* @return true if path is valid, false otherwise.
*/
boolean extensionIsValid(String path) {
int i = path.lastIndexOf('.');
if ((i > 0) && (i < path.length()-1)) {
String ext = path.substring(i+1).toLowerCase();
return validExtensions.contains(ext);
}
return false;
}
}
Kris Rasmussen wrote:
> After looking into it, it appears you can access any file in your classpath via the asset service(i'm sure people already know this). I find this to be horribly insecure, especially since there may be cases when the user may store some login information in a properties file or a class. Has anyone created a fix for this, such as restricting access only to files with a given extension or only those files declared explicitly as an asset in a jwc or page file? I am willing to make the necessary changes to the source if no one else is already working on it.
>
> On a side note, I suspect the reason the I am getting the error on my site is because someone is trying to access the source to a js file inserted by tapestry, as that is the only asset I use. When you cut and paste the address that tapestry escapes into the html it won't work and will generate that error unless you modify it a bit.
>
> Kris
>
> Kris Rasmussen wrote:
> I never thought about the possibility of the asset service creating a security vulnerability.... What exactly can the user access via the asset service??? This should definatly be resolved quickly if it is the case. I would have thought that the asset service restricts what it can access to what is declared in the page file.
>
> Kris
>
> Erik Hatcher wrote:
> Perhaps someone is probing your site by manually hitting the
> AssetService URL's?
>
> Keep in mind that the AssetService does have a security vulnerability
> unless you are using it with the externalization features enabled (and
> even then, would there still be a hole? for some reason I think not,
> but I'm now not sure). In other words, someone could use the
> AssetService URL's to grab your .class files!
>
> Erik
>
>
> On Apr 30, 2004, at 12:57 AM, Kris Rasmussen wrote:
>
>
>>Whever an error is generated on the site I have it is
>>emailed to me. Every couple of days I get the error I
>>pasted below. I can't imagine how it could be coming
>>up??? How could the service asset be getting multiple
>>parameters if I never call it directly other than
>>through standard tapestry components? I am running
>>rc3. I will try and switch over to version 3 release
>>tonight.
>>
>>org.apache.tapestry.ApplicationRuntimeException:
>>Service asset requires
>>exactly one service parameter.
>>at
>>org.apache.tapestry.asset.AssetService.service(AssetService.java:137)
>>at
>>org.apache.tapestry.engine.AbstractEngine.service(AbstractEngine.java:
>>872)
>>at
>>org.apache.tapestry.ApplicationServlet.doService(ApplicationServlet.jav
>>a:197)
>>at
>>org.apache.tapestry.ApplicationServlet.doGet(ApplicationServlet.java:
>>158)
>>at
>>javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
>>at
>>javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
>>at
>>org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>>ati
>>onFilterChain.java:284)
>>at
>>org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>>ter
>>Chain.java:204)
>>at
>>org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
>>ve.
>>java:257)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.StandardContextValve.invokeInternal(StandardCo
>>nte
>>xtValve.java:245)
>>at
>>org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
>>ve.
>>java:199)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
>>a:184)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
>>a:164)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:149)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
>>.ja
>>va:156)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
>>at
>>org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
>>at
>>org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:339)
>>at
>>org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:415)
>>at
>>org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:716)
>>at
>>org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java
>>:650)
>>at
>>org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:829)
>>at
>>org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
>>l.j
>>ava:688)
>>at java.lang.Thread.run(Thread.java:534
>>
>>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>Win a $20,000 Career Makeover at Yahoo! HotJobs
>>http://hotjobs.sweepstakes.yahoo.com/careermakeover
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
> ---------------------------------
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
>
> ---------------------------------
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
--
Jim Frederic
Innodata Isogen
9390 Research Blvd
Kaleido I, Suite 410
Austin, TX 78759
Tel: +(1) 512.372.8155
512.372.8122
Fax: +(1) 512.372.8133
Web: http://www.innodata-isogen.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
---------------------------------
Do you Yahoo!?
Win a $20,000 Career Makeover at Yahoo! HotJobs
Re: Asset Security Hole (cont from Re: Confusing error in production
environment.)
Posted by Jim Frederic <jf...@innodata-isogen.com>.
Here's the class I used to plug this asset hole. It extends the base
AssetService, but only for assets whose name extends with image-type
extensions. I'm sure you can make this more general, with runtime
registerable extensions.
-Jim
import java.io.IOException;
import java.util.ArrayList;
import javax.servlet.ServletException;
import org.apache.tapestry.IRequestCycle;
import org.apache.tapestry.asset.AssetService;
import org.apache.tapestry.engine.IEngineServiceView;
import org.apache.tapestry.request.ResponseOutputStream;
/**
* Defines an asset service that only accepts image file requests.
*
*/
public class ImageOnlyAssetService extends AssetService {
private static final org.apache.commons.logging.Log LOG =
org.apache.commons.logging.LogFactory.getLog(ImageOnlyAssetService.class);
private static ArrayList validExtensions;
//to support a new graphic type, simply add to this list...
static {
validExtensions = new ArrayList(7);
validExtensions.add("bmp");
validExtensions.add("gif");
validExtensions.add("jpeg");
validExtensions.add("jpg");
validExtensions.add("png");
validExtensions.add("tif");
validExtensions.add("tiff");
}
/**
*
*/
public ImageOnlyAssetService() {
super();
}
public void service(
IEngineServiceView engine,
IRequestCycle cycle,
ResponseOutputStream output)
throws ServletException, IOException {
Object[] parameters = getParameters(cycle);
String resourcePath = (String) parameters[0];
if (extensionIsValid(resourcePath)) {
super.service(engine, cycle, output);
} else {
String hackerAddr =
cycle.getRequestContext().getRequest().getRemoteAddr();
LOG.info("Illegal access attempted through "+this.getClass().getName()
+" for resource '"
+resourcePath
+"' from IP address '"
+hackerAddr
+"'.");
}
}
/**
* Validates the path with supported types.
*
* @param path to evaluate
* @return true if path is valid, false otherwise.
*/
boolean extensionIsValid(String path) {
int i = path.lastIndexOf('.');
if ((i > 0) && (i < path.length()-1)) {
String ext = path.substring(i+1).toLowerCase();
return validExtensions.contains(ext);
}
return false;
}
}
Kris Rasmussen wrote:
> After looking into it, it appears you can access any file in your classpath via the asset service(i'm sure people already know this). I find this to be horribly insecure, especially since there may be cases when the user may store some login information in a properties file or a class. Has anyone created a fix for this, such as restricting access only to files with a given extension or only those files declared explicitly as an asset in a jwc or page file? I am willing to make the necessary changes to the source if no one else is already working on it.
>
> On a side note, I suspect the reason the I am getting the error on my site is because someone is trying to access the source to a js file inserted by tapestry, as that is the only asset I use. When you cut and paste the address that tapestry escapes into the html it won't work and will generate that error unless you modify it a bit.
>
> Kris
>
> Kris Rasmussen <kr...@yahoo.com> wrote:
> I never thought about the possibility of the asset service creating a security vulnerability.... What exactly can the user access via the asset service??? This should definatly be resolved quickly if it is the case. I would have thought that the asset service restricts what it can access to what is declared in the page file.
>
> Kris
>
> Erik Hatcher wrote:
> Perhaps someone is probing your site by manually hitting the
> AssetService URL's?
>
> Keep in mind that the AssetService does have a security vulnerability
> unless you are using it with the externalization features enabled (and
> even then, would there still be a hole? for some reason I think not,
> but I'm now not sure). In other words, someone could use the
> AssetService URL's to grab your .class files!
>
> Erik
>
>
> On Apr 30, 2004, at 12:57 AM, Kris Rasmussen wrote:
>
>
>>Whever an error is generated on the site I have it is
>>emailed to me. Every couple of days I get the error I
>>pasted below. I can't imagine how it could be coming
>>up??? How could the service asset be getting multiple
>>parameters if I never call it directly other than
>>through standard tapestry components? I am running
>>rc3. I will try and switch over to version 3 release
>>tonight.
>>
>>org.apache.tapestry.ApplicationRuntimeException:
>>Service asset requires
>>exactly one service parameter.
>>at
>>org.apache.tapestry.asset.AssetService.service(AssetService.java:137)
>>at
>>org.apache.tapestry.engine.AbstractEngine.service(AbstractEngine.java:
>>872)
>>at
>>org.apache.tapestry.ApplicationServlet.doService(ApplicationServlet.jav
>>a:197)
>>at
>>org.apache.tapestry.ApplicationServlet.doGet(ApplicationServlet.java:
>>158)
>>at
>>javax.servlet.http.HttpServlet.service(HttpServlet.java:743)
>>at
>>javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
>>at
>>org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applic
>>ati
>>onFilterChain.java:284)
>>at
>>org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFil
>>ter
>>Chain.java:204)
>>at
>>org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVal
>>ve.
>>java:257)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.StandardContextValve.invokeInternal(StandardCo
>>nte
>>xtValve.java:245)
>>at
>>org.apache.catalina.core.StandardContextValve.invoke(StandardContextVal
>>ve.
>>java:199)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.jav
>>a:184)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.jav
>>a:164)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:149)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve
>>.ja
>>va:156)
>>at
>>org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveC
>>ont
>>ext.java:151)
>>at
>>org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:
>>567)
>>at
>>org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:972)
>>at
>>org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:206)
>>at
>>org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:339)
>>at
>>org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:415)
>>at
>>org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:716)
>>at
>>org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java
>>:650)
>>at
>>org.apache.jk.common.SocketConnection.runIt(ChannelSocket.java:829)
>>at
>>org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
>>l.j
>>ava:688)
>>at java.lang.Thread.run(Thread.java:534
>>
>>
>>
>>
>>__________________________________
>>Do you Yahoo!?
>>Win a $20,000 Career Makeover at Yahoo! HotJobs
>>http://hotjobs.sweepstakes.yahoo.com/careermakeover
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-user-help@jakarta.apache.org
>
>
> ---------------------------------
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
>
> ---------------------------------
> Do you Yahoo!?
> Win a $20,000 Career Makeover at Yahoo! HotJobs
--
Jim Frederic
Innodata Isogen
9390 Research Blvd
Kaleido I, Suite 410
Austin, TX 78759
Tel: +(1) 512.372.8155
512.372.8122
Fax: +(1) 512.372.8133
Web: http://www.innodata-isogen.com
---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-user-help@jakarta.apache.org