You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by Howard Lewis Ship <hl...@gmail.com> on 2009/12/11 20:15:55 UTC
Re: svn commit: r889514 - in /tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src:
main/java/org/apache/tapestry5/services/ test/app1/ test/app1/WEB-INF/
test/java/org/apache/tapestry5/integration/ test/java/org/apache/tapestry5/integration/app
Thanks, this looks like it fits peoples needs and closes the security
hole nicely.
On Thu, Dec 10, 2009 at 10:28 PM, <ro...@apache.org> wrote:
> Author: robertdzeigler
> Date: Fri Dec 11 06:28:30 2009
> New Revision: 889514
>
> URL: http://svn.apache.org/viewvc?rev=889514&view=rev
> Log:
> TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable
> Better regex for context files: disables everything at/below WEB-INF, enables everything else in the context, 5.1 branch.
>
> Added:
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/WEB-INF/unavailable.css
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile2.txt
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt
> - copied unchanged from r889457, tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt
> Removed:
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/unavailablefile.txt
> Modified:
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
> tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
>
> Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=889514&r1=889513&r2=889514&view=diff
> ==============================================================================
> --- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
> +++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Fri Dec 11 06:28:30 2009
> @@ -2458,7 +2458,12 @@
>
> if (contextAvailable)
> {
> - regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
> + //we allow everything underneath the context folder, as long as it's not
> + //at or below WEB-INF.
> + //necessary since context assets are now handled via AssetDispatcher so that
> + //they can be compressed, combined, etc.
> + String contextPathPattern = "/(?!WEB-INF)([^/.]+/)*[^/]+$";
> + regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + contextPathPattern);
> }
>
> }
>
> Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=889514&r1=889513&r2=889514&view=diff
> ==============================================================================
> --- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml (original)
> +++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml Fri Dec 11 06:28:30 2009
> @@ -1,4 +1,8 @@
> <html t:type="Border" xmlns:t="http://tapestry.apache.org/schema/tapestry_5_1_0.xsd">
> <a href="${asset:context:availablefile.txt}">Available File</a>
> - <a href="${asset:context:unavailablefile.txt}">Unavailable File</a>
> + <a href="${asset:context:WEB-INF/unavailable.css}">Unavailable CSS</a>
> + <a href="${asset:context:WEB-INF}">WEB-INF</a>
> + <a href="${asset:context:WEB-INF/}">WEB-INF/</a>
> + <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt}">Unavailable File</a>
> + <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/availablefile2.txt}">Available File2</a>
> </html>
> \ No newline at end of file
>
> Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/WEB-INF/unavailable.css
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/WEB-INF/unavailable.css?rev=889514&view=auto
> ==============================================================================
> --- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/WEB-INF/unavailable.css (added)
> +++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/WEB-INF/unavailable.css Fri Dec 11 06:28:30 2009
> @@ -0,0 +1,3 @@
> +/*the originally contributed regex to open up context assets resulted in
> + * .css, .jpeg, etc. files in WEB-INF being accessible. This css file is just here for
> + * integration testing purposes to make sure that's not the case now.*/
> \ No newline at end of file
>
> Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=889514&r1=889513&r2=889514&view=diff
> ==============================================================================
> --- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
> +++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Fri Dec 11 06:28:30 2009
> @@ -3032,14 +3032,32 @@
>
> /** TAP5-815 */
> @Test
> - public void testAssetProtection()
> + public void testAssetProtection() throws InterruptedException
> {
> +
> + //context resourcs should be available by default.
> + start("Asset Protection Demo");
> + clickAndWait("link=Available File");
> + assertTextPresent("This file should be available to clients.");
> +
> + start("Asset Protection Demo");
> + clickAndWait("link=Unavailable CSS");
> + assertTextPresent("HTTP ERROR: 404");
> +
> + start("Asset Protection Demo");
> + clickAndWait("link=WEB-INF");
> + assertTextPresent("HTTP ERROR: 404");
> +
> + start("Asset Protection Demo");
> + clickAndWait("link=WEB-INF/");
> + assertTextPresent("HTTP ERROR: 404");
> +
> start("Asset Protection Demo");
> clickAndWait("link=Unavailable File");
> - assertTextPresent("404");
> + assertTextPresent("HTTP ERROR: 404");
>
> start("Asset Protection Demo");
> - clickAndWait("link=Available File");
> + clickAndWait("link=Available File2");
> assertTextPresent("This file should be available to clients.");
> }
>
>
> Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=889514&r1=889513&r2=889514&view=diff
> ==============================================================================
> --- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
> +++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Fri Dec 11 06:28:30 2009
> @@ -259,9 +259,8 @@
> }
>
> public static void contributeWhitelistAuthorizer(
> - Configuration<String> configuration,
> - @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion)
> + Configuration<String> configuration)
> {
> - configuration.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/availablefile.txt");
> + configuration.add("org/apache/tapestry5/integration/app1/pages/availablefile2.txt");
> }
> }
>
> Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile2.txt
> URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile2.txt?rev=889514&view=auto
> ==============================================================================
> --- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile2.txt (added)
> +++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/resources/org/apache/tapestry5/integration/app1/pages/availablefile2.txt Fri Dec 11 06:28:30 2009
> @@ -0,0 +1 @@
> +This file should be available to clients.
> \ No newline at end of file
>
>
>
--
Howard M. Lewis Ship
Creator of Apache Tapestry
The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!
(971) 678-5210
http://howardlewisship.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org