Re: [jira] Closed: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

[Andreas Andreou <an...@di.uoa.gr>]

great to see this closed!

afaik, there's no other 'promised' pending issue for 5.0.19, right?
If that's true and everyone agrees, we can go on with that release first!

On Fri, Dec 11, 2009 at 1:50 AM, Robert Zeigler (JIRA) <ji...@apache.org> wrote:
>
>     [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> Robert Zeigler closed TAP5-815.
> -------------------------------
>
>       Resolution: Fixed
>    Fix Version/s: 5.0.19
>                   5.1.0.6
>                   5.2.0
>
>> Asset dispatcher allows any file inside the webapp visible and downloadable
>> ---------------------------------------------------------------------------
>>
>>                 Key: TAP5-815
>>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>>             Project: Tapestry 5
>>          Issue Type: Bug
>>    Affects Versions: 5.1.0.5
>>            Reporter: Thiago H. de Paula Figueiredo
>>            Assignee: Robert Zeigler
>>            Priority: Blocker
>>             Fix For: 5.2.0, 5.1.0.6, 5.0.19
>>
>>
>> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>



-- 
Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: [jira] Closed: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

[Massimo Lusetti <ml...@gmail.com>]

On Fri, Dec 11, 2009 at 1:27 AM, Andreas Andreou <an...@di.uoa.gr> wrote:

> great to see this closed!
>
> afaik, there's no other 'promised' pending issue for 5.0.19, right?
> If that's true and everyone agrees, we can go on with that release first!

That would be great!

-- 
Massimo
http://meridio.blogspot.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org

Re: [jira] Closed: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable

[Robert Zeigler <ro...@scazdl.org>]

5.0.19 should be fine.
Turns out, there are still some tweaks needed for 5.1.0.6 and 5.2.0,  
but those are all related to the proper protection of WEB-INF and META- 
INF along with the proper opening (by default) of the remaining static  
context assets.  5.0.19 doesn't serve context assets through  
AssetDispatcher, so it doesn't have these same issues.

Robert

On Dec 10, 2009, at 12/106:27 PM , Andreas Andreou wrote:

> great to see this closed!
>
> afaik, there's no other 'promised' pending issue for 5.0.19, right?
> If that's true and everyone agrees, we can go on with that release  
> first!
>
> On Fri, Dec 11, 2009 at 1:50 AM, Robert Zeigler (JIRA) <jira@apache.org 
> > wrote:
>>
>>     [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel 
>>  ]
>>
>> Robert Zeigler closed TAP5-815.
>> -------------------------------
>>
>>       Resolution: Fixed
>>    Fix Version/s: 5.0.19
>>                   5.1.0.6
>>                   5.2.0
>>
>>> Asset dispatcher allows any file inside the webapp visible and  
>>> downloadable
>>> ---------------------------------------------------------------------------
>>>
>>>                 Key: TAP5-815
>>>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>>>             Project: Tapestry 5
>>>          Issue Type: Bug
>>>    Affects Versions: 5.1.0.5
>>>            Reporter: Thiago H. de Paula Figueiredo
>>>            Assignee: Robert Zeigler
>>>            Priority: Blocker
>>>             Fix For: 5.2.0, 5.1.0.6, 5.0.19
>>>
>>>
>>> Take any asset and you have an URL like domain.com/assets/ctx/ 
>>> f10407a6c1753e39/css/main.css. If you request domain.com/assets/ 
>>> ctx/f10407a6c1753e39/, a list containing all the files inside the  
>>> webapp root is shown. It gives you the hint at downloading any  
>>> file you want, including anyting inside WEB-INF and assets that  
>>> should be protected by ResourceDigestGenerator.
>>
>> --
>> This message is automatically generated by JIRA.
>> -
>> You can reply to this email to add a comment to the issue online.
>>
>>
>
>
>
> -- 
> Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
> Tapestry / Tacos developer
> Open Source / JEE Consulting
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org