You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by hl...@apache.org on 2010/01/09 01:46:43 UTC
svn commit: r897358 - in /tapestry/tapestry5/trunk: src/site/apt/upgrade.apt
tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
Author: hlship
Date: Sat Jan 9 00:46:42 2010
New Revision: 897358
URL: http://svn.apache.org/viewvc?rev=897358&view=rev
Log:
Improve some documentation about upgrades and Asset security
Modified:
tapestry/tapestry5/trunk/src/site/apt/upgrade.apt
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
Modified: tapestry/tapestry5/trunk/src/site/apt/upgrade.apt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/upgrade.apt?rev=897358&r1=897357&r2=897358&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/src/site/apt/upgrade.apt (original)
+++ tapestry/tapestry5/trunk/src/site/apt/upgrade.apt Sat Jan 9 00:46:42 2010
@@ -14,6 +14,16 @@
Release 5.2.0
+* Asset Security
+
+ Tapestry now includes a new mechanism for ensuring the security of server-side assets, addressing a bug
+ that allowed a malicious user to search and download any file on the classpath. The new approach
+ is more secure, but is based on explicitly extending access; some existing frameworks (created to
+ be compatible with Tapestry 5.1) will need additional configuration to extend access to their
+ assets. See the {{{guide/assets.html}notes on securing Assets}}.
+
+* Template Parser back to SAX
+
Tapestry no longer uses a StAX parser (it uses a normal SAX parser) to parse template. This change
reduces the number of dependencies for Tapestry, and is a stepping stone to compatibility with
Google App Engine.
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java?rev=897358&r1=897357&r2=897358&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java Sat Jan 9 00:46:42 2010
@@ -4,7 +4,7 @@
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
-// http://www.apache.org/licenses/LICENSE-2.0
+// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,6 +14,7 @@
package org.apache.tapestry5.internal.services;
+import org.apache.tapestry5.ioc.annotations.UsesConfiguration;
import org.apache.tapestry5.services.AssetPathAuthorizer;
import java.util.ArrayList;
@@ -30,35 +31,32 @@
* the whitelist authorizer, which has an explicit deny policy.
* Hence, as long as the whitelist authorizer is being used in conjunction with
* the regex authorizer, there is no need to worry about accessDenied in this authorizer.
- *
*/
+@UsesConfiguration(String.class)
public class RegexAuthorizer implements AssetPathAuthorizer
{
-
+
private final Collection<Pattern> _regexes;
-
+
public RegexAuthorizer(final Collection<String> regex)
{
- //an alternate way to construct this would be to make sure that each pattern is grouped
- //and then to regex or the various patterns together into a single pattern.
- //that might be faster, but probably not enough to make a difference, and this is cleaner.
+ // an alternate way to construct this would be to make sure that each pattern is grouped
+ // and then to regex or the various patterns together into a single pattern.
+ // that might be faster, but probably not enough to make a difference, and this is cleaner.
List<Pattern> tmp = new ArrayList<Pattern>();
- for(String exp : regex)
+ for (String exp : regex)
{
tmp.add(Pattern.compile(exp));
}
_regexes = Collections.unmodifiableCollection(tmp);
-
+
}
public boolean accessAllowed(String resourcePath)
{
- for(Pattern regex : _regexes)
+ for (Pattern regex : _regexes)
{
- if (regex.matcher(resourcePath).matches())
- {
- return true;
- }
+ if (regex.matcher(resourcePath).matches()) { return true; }
}
return false;
}
@@ -68,7 +66,7 @@
return false;
}
- public List<Order> order()
+ public List<Order> order()
{
return Arrays.asList(Order.ALLOW);
}