You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Rich M <ri...@moremagic.com> on 2010/09/13 23:14:34 UTC
Asset Security in 5.1.0.5
Hi,
I just noticed I can access a disturbing amount of files through the
assets/ path from my application. The user guide for 5.0 states that
Tapestry automatically blocks access to all assets and only whitelists
critical Tapestry files
http://tapestry.apache.org/tapestry5.0/guide/assets.html . However,
looking at the 5.1 guide there is no mention of security like in the 5.0
guide. I haven't made any contributions to an AssetPathAuthorizer or
even known about them, so I don't think I've done something to
specifically allow access to the files via Tapestry code. How can I get
the files in my classpath and web context blocked?
Thanks,
Rich
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: Asset Security in 5.1.0.5
Posted by Christophe Cordenier <ch...@gmail.com>.
Hi !
Security patch has been applied on 5.1.0.6 and 5.1.0.7 but these version has
been failed the vote process, you can use 5.1.0.8-SNAPSHOT version to get
access to protect your assets.
2010/9/13 Rich M <ri...@moremagic.com>
>
> Hi,
>
> I just noticed I can access a disturbing amount of files through the
> assets/ path from my application. The user guide for 5.0 states that
> Tapestry automatically blocks access to all assets and only whitelists
> critical Tapestry files
> http://tapestry.apache.org/tapestry5.0/guide/assets.html . However,
> looking at the 5.1 guide there is no mention of security like in the 5.0
> guide. I haven't made any contributions to an AssetPathAuthorizer or even
> known about them, so I don't think I've done something to specifically allow
> access to the files via Tapestry code. How can I get the files in my
> classpath and web context blocked?
>
> Thanks,
> Rich
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: users-help@tapestry.apache.org
>
>
--
Regards,
Christophe Cordenier.
Committer on Apache Tapestry 5
Co-creator of wooki @wookicentral.com