You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tapestry.apache.org by th...@apache.org on 2021/03/09 12:42:24 UTC
[tapestry-5] branch master updated: TAP5-2665: Disallow requests
for folders in the classpath by default
This is an automated email from the ASF dual-hosted git repository.
thiagohp pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tapestry-5.git
The following commit(s) were added to refs/heads/master by this push:
new ce9c2e8 TAP5-2665: Disallow requests for folders in the classpath by default
ce9c2e8 is described below
commit ce9c2e8e49669a7d7e68c347f1d95e79ece74ae4
Author: Thiago H. de Paula Figueiredo <th...@arsmachina.com.br>
AuthorDate: Tue Mar 9 08:42:30 2021 -0300
TAP5-2665: Disallow requests for folders in the classpath by default
---
.../internal/services/assets/ChecksumPath.java | 2 +-
.../assets/ClasspathAssetRequestHandler.java | 12 ++++-
.../org/apache/tapestry5/modules/AssetsModule.java | 55 +++++++++++++++++++---
3 files changed, 61 insertions(+), 8 deletions(-)
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
index 69624d4..95e907e 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ChecksumPath.java
@@ -27,7 +27,7 @@ import java.io.IOException;
*/
public class ChecksumPath
{
- private static final String NON_EXISTING_RESOURCE = "_________________________";
+ static final String NON_EXISTING_RESOURCE = "_________________________";
public final String checksum;
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
index 981774f..2e745de 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/assets/ClasspathAssetRequestHandler.java
@@ -22,6 +22,8 @@ import org.apache.tapestry5.services.AssetSource;
import org.apache.tapestry5.services.ClasspathAssetAliasManager;
import org.apache.tapestry5.services.ClasspathAssetProtectionRule;
import org.apache.tapestry5.services.assets.AssetRequestHandler;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
import java.io.IOException;
@@ -33,6 +35,9 @@ import java.io.IOException;
*/
public class ClasspathAssetRequestHandler implements AssetRequestHandler
{
+
+ private final static Logger LOGGER = LoggerFactory.getLogger(ClasspathAssetRequestHandler.class);
+
private final ResourceStreamer streamer;
private final AssetSource assetSource;
@@ -56,8 +61,13 @@ public class ClasspathAssetRequestHandler implements AssetRequestHandler
ChecksumPath path = new ChecksumPath(streamer, baseFolder, extraPath);
final boolean handled;
- if (classpathAssetProtectionRule.block(path.resourcePath))
+ if (classpathAssetProtectionRule.block(path.resourcePath) && !path.resourcePath.equals(ChecksumPath.NON_EXISTING_RESOURCE))
{
+ if (LOGGER.isWarnEnabled())
+ {
+ LOGGER.warn("Blocked request for classpath asset '" + path.resourcePath +
+ "'. Contribute a new ClasspathAssetProtectionRule if you need this asset to be publicly accessible.");
+ }
handled = false;
}
else
diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
index 49ecfdc..72091dd 100644
--- a/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
+++ b/tapestry-core/src/main/java/org/apache/tapestry5/modules/AssetsModule.java
@@ -16,9 +16,9 @@ import java.util.List;
import java.util.Map;
import org.apache.tapestry5.SymbolConstants;
-import org.apache.tapestry5.beanmodel.internal.services.*;
-import org.apache.tapestry5.beanmodel.services.*;
-import org.apache.tapestry5.commons.*;
+import org.apache.tapestry5.commons.MappedConfiguration;
+import org.apache.tapestry5.commons.OrderedConfiguration;
+import org.apache.tapestry5.commons.Resource;
import org.apache.tapestry5.http.TapestryHttpSymbolConstants;
import org.apache.tapestry5.http.internal.TapestryHttpInternalConstants;
import org.apache.tapestry5.http.services.ApplicationGlobals;
@@ -35,11 +35,36 @@ import org.apache.tapestry5.internal.services.ExternalUrlAssetFactory;
import org.apache.tapestry5.internal.services.IdentityAssetPathConverter;
import org.apache.tapestry5.internal.services.RequestConstants;
import org.apache.tapestry5.internal.services.ResourceStreamer;
-import org.apache.tapestry5.internal.services.assets.*;
+import org.apache.tapestry5.internal.services.assets.AssetChecksumGeneratorImpl;
+import org.apache.tapestry5.internal.services.assets.AssetPathConstructorImpl;
+import org.apache.tapestry5.internal.services.assets.CSSURLRewriter;
+import org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.CompressionAnalyzerImpl;
+import org.apache.tapestry5.internal.services.assets.ContentTypeAnalyzerImpl;
+import org.apache.tapestry5.internal.services.assets.ContextAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackAssembler;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackAssemblerImpl;
+import org.apache.tapestry5.internal.services.assets.JavaScriptStackMinimizeDisabler;
+import org.apache.tapestry5.internal.services.assets.MasterResourceMinimizer;
+import org.apache.tapestry5.internal.services.assets.ResourceChangeTracker;
+import org.apache.tapestry5.internal.services.assets.ResourceChangeTrackerImpl;
+import org.apache.tapestry5.internal.services.assets.SRSCachingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSCompressedCachingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSCompressingInterceptor;
+import org.apache.tapestry5.internal.services.assets.SRSMinimizingInterceptor;
+import org.apache.tapestry5.internal.services.assets.StackAssetRequestHandler;
+import org.apache.tapestry5.internal.services.assets.StreamableResourceSourceImpl;
+import org.apache.tapestry5.internal.services.assets.UTF8ForTextAssets;
import org.apache.tapestry5.internal.services.messages.ClientLocalizationMessageResource;
import org.apache.tapestry5.ioc.OperationTracker;
import org.apache.tapestry5.ioc.ServiceBinder;
-import org.apache.tapestry5.ioc.annotations.*;
+import org.apache.tapestry5.ioc.annotations.Autobuild;
+import org.apache.tapestry5.ioc.annotations.Contribute;
+import org.apache.tapestry5.ioc.annotations.Decorate;
+import org.apache.tapestry5.ioc.annotations.Marker;
+import org.apache.tapestry5.ioc.annotations.Order;
+import org.apache.tapestry5.ioc.annotations.Primary;
+import org.apache.tapestry5.ioc.annotations.Symbol;
import org.apache.tapestry5.ioc.services.ChainBuilder;
import org.apache.tapestry5.ioc.services.FactoryDefaults;
import org.apache.tapestry5.ioc.services.SymbolProvider;
@@ -53,7 +78,12 @@ import org.apache.tapestry5.services.ClasspathProvider;
import org.apache.tapestry5.services.ComponentClassResolver;
import org.apache.tapestry5.services.ContextProvider;
import org.apache.tapestry5.services.Core;
-import org.apache.tapestry5.services.assets.*;
+import org.apache.tapestry5.services.assets.AssetChecksumGenerator;
+import org.apache.tapestry5.services.assets.AssetPathConstructor;
+import org.apache.tapestry5.services.assets.AssetRequestHandler;
+import org.apache.tapestry5.services.assets.ContentTypeAnalyzer;
+import org.apache.tapestry5.services.assets.ResourceMinimizer;
+import org.apache.tapestry5.services.assets.StreamableResourceSource;
import org.apache.tapestry5.services.javascript.JavaScriptStackSource;
import org.apache.tapestry5.services.messages.ComponentMessagesSource;
@@ -399,6 +429,19 @@ public class AssetsModule
configuration.add("PropertiesFile", propertiesFileRule);
ClasspathAssetProtectionRule xmlFileRule = (s) -> s.toLowerCase().endsWith(".xml");
configuration.add("XMLFile", xmlFileRule);
+ ClasspathAssetProtectionRule folderRule = (s) -> isFolderToBlock(s);
+ configuration.add("Folder", folderRule);
+ }
+
+ final private static boolean isFolderToBlock(String path)
+ {
+ path = path.replace('\\', '/');
+ final int lastIndex = path.lastIndexOf('/');
+ if (lastIndex >= 0)
+ {
+ path = path.substring(lastIndex);
+ }
+ return !path.contains(".");
}
}