You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by ro...@apache.org on 2009/12/14 13:03:56 UTC

svn commit: r890285 - in /tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src: main/java/org/apache/tapestry5/services/ test/app1/ test/app1/META-INF/ test/java/org/apache/tapestry5/integration/ test/java/org/apache/tapestry5/integration/app1/ser...

Author: robertdzeigler
Date: Mon Dec 14 12:03:55 2009
New Revision: 890285

URL: http://svn.apache.org/viewvc?rev=890285&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable.
Port context asset regex changes from trunk to 5.1 branch.

Added:
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/META-INF/
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/META-INF/unavailable2.txt
Modified:
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
    tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=890285&r1=890284&r2=890285&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Mon Dec 14 12:03:55 2009
@@ -2462,7 +2462,7 @@
             //at or below WEB-INF.
             //necessary since context assets are now handled via AssetDispatcher so that
             //they can be compressed, combined, etc.
-            String contextPathPattern = "/(?!WEB-INF)([^/.]+/)*[^/]+$";
+            String contextPathPattern = "/(?!(WEB-INF)|(META-INF))([^/.]+/)*[^/]+(?<!\\.tml)$";
             regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + contextPathPattern);
         }
 

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=890285&r1=890284&r2=890285&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/AssetProtectionDemo.tml Mon Dec 14 12:03:55 2009
@@ -5,4 +5,9 @@
     <a href="${asset:context:WEB-INF/}">WEB-INF/</a>
     <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt}">Unavailable File</a>
     <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/availablefile2.txt}">Available File2</a>
-</html>
\ No newline at end of file
+    <a href="${asset:context:META-INF}">META-INF</a>
+    <a href="${asset:context:META-INF/}">META-INF/</a>
+    <a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a>
+    <a href="${asset:context:AssetProtectionDemo.tml}">tml file</a>
+    <a href="${asset:context:music/MusicDetails.tml}">nested tml file</a>
+</html>

Added: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/META-INF/unavailable2.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/META-INF/unavailable2.txt?rev=890285&view=auto
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/META-INF/unavailable2.txt (added)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/app1/META-INF/unavailable2.txt Mon Dec 14 12:03:55 2009
@@ -0,0 +1 @@
+This file is in META-INF so it should not be available.

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=890285&r1=890284&r2=890285&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Mon Dec 14 12:03:55 2009
@@ -3032,7 +3032,7 @@
 
     /** TAP5-815 */
     @Test
-    public void testAssetProtection() throws InterruptedException
+    public void asset_protection()
     {
 
         //context resourcs should be available by default.
@@ -3059,6 +3059,28 @@
         start("Asset Protection Demo");
         clickAndWait("link=Available File2");
         assertTextPresent("This file should be available to clients.");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=META-INF");
+        assertTextPresent("HTTP ERROR: 404");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=META-INF/");
+        assertTextPresent("HTTP ERROR: 404");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=unavailable2.txt");
+        assertTextPresent("HTTP ERROR: 404");
+
+        //tml files...
+        start("Asset Protection Demo");
+        clickAndWait("link=tml file");
+        assertTextPresent("HTTP ERROR: 404");
+
+        //nested tml files...
+        start("Asset Protection Demo");
+        clickAndWait("link=nested tml file");
+        assertTextPresent("HTTP ERROR: 404");
     }
 
-}
\ No newline at end of file
+}

Modified: tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java?rev=890285&r1=890284&r2=890285&view=diff
==============================================================================
--- tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java (original)
+++ tapestry/tapestry5/branches/5.1.0.x-dev/tapestry-core/src/test/java/org/apache/tapestry5/integration/app1/services/AppModule.java Mon Dec 14 12:03:55 2009
@@ -258,8 +258,7 @@
         configuration.add("ReverseStringsWorker", new ReverseStringsWorker());
     }
 
-    public static void contributeWhitelistAuthorizer(
-            Configuration<String> configuration)
+    public static void contributeWhitelistAuthorizer(Configuration<String> configuration)
     {
         configuration.add("org/apache/tapestry5/integration/app1/pages/availablefile2.txt");
     }