You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by ro...@apache.org on 2009/12/12 22:37:21 UTC
svn commit: r889985 - in /tapestry/tapestry5/trunk/tapestry-core/src:
main/java/org/apache/tapestry5/services/ test/app1/ test/app1/META-INF/
test/java/org/apache/tapestry5/integration/
Author: robertdzeigler
Date: Sat Dec 12 21:37:21 2009
New Revision: 889985
URL: http://svn.apache.org/viewvc?rev=889985&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable
Further improvements to thhe context assets regex. In addition to WEB-INF, files at or under META-INF are blocked, as are files ending in .tml.
Added:
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt
Modified:
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=889985&r1=889984&r2=889985&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Sat Dec 12 21:37:21 2009
@@ -2935,7 +2935,7 @@
//at or below WEB-INF.
//necessary since context assets are now handled via AssetDispatcher so that
//they can be compressed, combined, etc.
- String contextPathPattern = "/(?!WEB-INF)([^/.]+/)*[^/]+$";
+ String contextPathPattern = "/(?!(WEB-INF)|(META-INF))([^/.]+/)*[^/]+(?<!\\.tml)$";
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + contextPathPattern);
}
}
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=889985&r1=889984&r2=889985&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml Sat Dec 12 21:37:21 2009
@@ -5,4 +5,9 @@
<a href="${asset:context:WEB-INF/}">WEB-INF/</a>
<a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt}">Unavailable File</a>
<a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/availablefile2.txt}">Available File2</a>
+ <a href="${asset:context:META-INF}">META-INF</a>
+ <a href="${asset:context:META-INF/}">META-INF/</a>
+ <a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a>
+ <a href="${asset:context:AssetProtectionDemo.tml}">tml file</a>
+ <a href="${asset:context:music/MusicDetails.tml}">nested tml file</a>
</html>
Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt?rev=889985&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt Sat Dec 12 21:37:21 2009
@@ -0,0 +1 @@
+This file is in META-INF so it should not be available.
\ No newline at end of file
Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=889985&r1=889984&r2=889985&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Sat Dec 12 21:37:21 2009
@@ -3293,7 +3293,7 @@
/** TAP5-815 */
@Test
- public void testAssetProtection()
+ public void asset_protection()
{
//context resourcs should be available by default.
start("Asset Protection Demo");
@@ -3319,5 +3319,27 @@
start("Asset Protection Demo");
clickAndWait("link=Available File2");
assertTextPresent("This file should be available to clients.");
+
+ start("Asset Protection Demo");
+ clickAndWait("link=META-INF");
+ assertTextPresent("HTTP ERROR: 404");
+
+ start("Asset Protection Demo");
+ clickAndWait("link=META-INF/");
+ assertTextPresent("HTTP ERROR: 404");
+
+ start("Asset Protection Demo");
+ clickAndWait("link=unavailable2.txt");
+ assertTextPresent("HTTP ERROR: 404");
+
+ //tml files...
+ start("Asset Protection Demo");
+ clickAndWait("link=tml file");
+ assertTextPresent("HTTP ERROR: 404");
+
+ //nested tml files...
+ start("Asset Protection Demo");
+ clickAndWait("link=nested tml file");
+ assertTextPresent("HTTP ERROR: 404");
}
}