4.1 UnprotectedAssets Contribution Security Issue

[Bruce Myers <Br...@opensolutions.com>]

Hi,
 
I believe there is a security issue with the regular expressions in the
UnprotectedAssets contribution in the tapestry.asset.xml hivemind
module.
 
  <contribution configuration-id="UnprotectedAssets">
   List of unprotected asset regexps for ResourceMatcher service.
   <unprotected-resource contains="tapestry/*" />
   <unprotected-resource contains="dojo/*" />
  </contribution>

PatternMatcher.contains(String input, Pattern pattern) will search
anywhere in the input for the pattern.

Example:
contains("/com/company/tapestry/database.class", "tapestry/*") will
return true and allow the asset to be retrieved without a digest.

I would like to suggest adding a ^/ to the beginning of the expressions.
Example:
   <unprotected-resource contains="^/tapestry/*" />
   <unprotected-resource contains="^/dojo/*" />

I don't know what benefit the * on the end of the expressions is
providing. It will match 0 or more /'s.

Thanks,
 
Bruce Myers
Sr. Software Engineer
Open Solutions COWWW Software
Email: bruce.myers at opensolutions.com


NOTICE:
This e-mail is intended solely for the use of the individual to whom it is addressed and may contain information that is privileged, confidential or otherwise exempt from disclosure. If the reader of this e-mail is not the intended recipient or the employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the original message at the listed email address. Thank You.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org