[T4] AssetService

[andyhot <an...@di.uoa.gr>]

... not sure how this works in T5 - so, perhaps it also makes sense there...

So, I was taking a look at 
https://issues.apache.org/jira/browse/TAPESTRY-1306
which basically says that lots of exception messages are shown on the 
server console whenever a
(protected) resource is not found and i've noticed the following:

-) First of all (and the cause of that bug) we call the MD5 even if the 
resource doesn't exist. This causes
an ApplicationRuntimeException which forces the AssetService to 
terminate its service method. The side
effects are: a) the previously stated error messages on the server b) 
the response is 200 instead of 404
I've already got a patch for this.

-) Secondly, I noticed that we return a 403 error if the resource exists 
but the MD5 digest is incorrect.
I now see that this is a potential vulnerability... for instance i can 
try requesting folders like
/org/hibernate/ or /org/apache/ibatis/ and understand what kind of 
technologies are used by a T4 site.
I haven't done any changes here - but i think returning a 404 is correct.

What do you guys think?

-- 
Andreas Andreou - andyhot@apache.org - http://andyhot.di.uoa.gr
Tapestry / Tacos developer
Open Source / JEE Consulting


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org