You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by hl...@apache.org on 2010/01/09 01:46:43 UTC

svn commit: r897358 - in /tapestry/tapestry5/trunk: src/site/apt/upgrade.apt tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java

Author: hlship
Date: Sat Jan  9 00:46:42 2010
New Revision: 897358

URL: http://svn.apache.org/viewvc?rev=897358&view=rev
Log:
Improve some documentation about upgrades and Asset security

Modified:
    tapestry/tapestry5/trunk/src/site/apt/upgrade.apt
    tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java

Modified: tapestry/tapestry5/trunk/src/site/apt/upgrade.apt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/src/site/apt/upgrade.apt?rev=897358&r1=897357&r2=897358&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/src/site/apt/upgrade.apt (original)
+++ tapestry/tapestry5/trunk/src/site/apt/upgrade.apt Sat Jan  9 00:46:42 2010
@@ -14,6 +14,16 @@
 
 Release 5.2.0
 
+* Asset Security
+
+  Tapestry now includes a new mechanism for ensuring the security of server-side assets, addressing a bug
+  that allowed a malicious user to search and download any file on the classpath. The new approach
+  is more secure, but is based on explicitly extending access; some existing frameworks (created to
+  be compatible with Tapestry 5.1) will need additional configuration to extend access to their
+  assets.  See the {{{guide/assets.html}notes on securing Assets}}. 
+
+* Template Parser back to SAX
+
   Tapestry no longer uses a StAX parser (it uses a normal SAX parser) to parse template. This change
   reduces the number of dependencies for Tapestry, and is a stepping stone to compatibility with
   Google App Engine.

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java?rev=897358&r1=897357&r2=897358&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/RegexAuthorizer.java Sat Jan  9 00:46:42 2010
@@ -4,7 +4,7 @@
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
-//      http://www.apache.org/licenses/LICENSE-2.0
+// http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ -14,6 +14,7 @@
 
 package org.apache.tapestry5.internal.services;
 
+import org.apache.tapestry5.ioc.annotations.UsesConfiguration;
 import org.apache.tapestry5.services.AssetPathAuthorizer;
 
 import java.util.ArrayList;
@@ -30,35 +31,32 @@
  * the whitelist authorizer, which has an explicit deny policy.
  * Hence, as long as the whitelist authorizer is being used in conjunction with
  * the regex authorizer, there is no need to worry about accessDenied in this authorizer.
- *
  */
+@UsesConfiguration(String.class)
 public class RegexAuthorizer implements AssetPathAuthorizer
 {
-    
+
     private final Collection<Pattern> _regexes;
-    
+
     public RegexAuthorizer(final Collection<String> regex)
     {
-        //an alternate way to construct this would be to make sure that each pattern is grouped
-        //and then to regex or the various patterns together into a single pattern.
-        //that might be faster, but probably not enough to make a difference, and this is cleaner.
+        // an alternate way to construct this would be to make sure that each pattern is grouped
+        // and then to regex or the various patterns together into a single pattern.
+        // that might be faster, but probably not enough to make a difference, and this is cleaner.
         List<Pattern> tmp = new ArrayList<Pattern>();
-        for(String exp : regex)
+        for (String exp : regex)
         {
             tmp.add(Pattern.compile(exp));
         }
         _regexes = Collections.unmodifiableCollection(tmp);
-        
+
     }
 
     public boolean accessAllowed(String resourcePath)
     {
-        for(Pattern regex : _regexes)
+        for (Pattern regex : _regexes)
         {
-            if (regex.matcher(resourcePath).matches())
-            {
-                return true;
-            }
+            if (regex.matcher(resourcePath).matches()) { return true; }
         }
         return false;
     }
@@ -68,7 +66,7 @@
         return false;
     }
 
-    public List<Order> order() 
+    public List<Order> order()
     {
         return Arrays.asList(Order.ALLOW);
     }