You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by ro...@apache.org on 2009/12/12 22:37:21 UTC
svn commit: r889985 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/services/ test/app1/ test/app1/META-INF/ test/java/org/apache/tapestry5/integration/

Author: robertdzeigler
Date: Sat Dec 12 21:37:21 2009
New Revision: 889985

URL: http://svn.apache.org/viewvc?rev=889985&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and downloadable
Further improvements to thhe context assets regex.  In addition to WEB-INF, files at or under META-INF are blocked, as are files ending in .tml.

Added:
    tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/
    tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt
Modified:
    tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
    tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
    tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java

Modified: tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java?rev=889985&r1=889984&r2=889985&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/services/TapestryModule.java Sat Dec 12 21:37:21 2009
@@ -2935,7 +2935,7 @@
             //at or below WEB-INF.
             //necessary since context assets are now handled via AssetDispatcher so that
             //they can be compressed, combined, etc.
-            String contextPathPattern = "/(?!WEB-INF)([^/.]+/)*[^/]+$";
+            String contextPathPattern = "/(?!(WEB-INF)|(META-INF))([^/.]+/)*[^/]+(?<!\\.tml)$";
             regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + contextPathPattern);
         }
     }

Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml?rev=889985&r1=889984&r2=889985&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/AssetProtectionDemo.tml Sat Dec 12 21:37:21 2009
@@ -5,4 +5,9 @@
     <a href="${asset:context:WEB-INF/}">WEB-INF/</a>
     <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/unavailablefile.txt}">Unavailable File</a>
     <a href="${asset:classpath:/org/apache/tapestry5/integration/app1/pages/availablefile2.txt}">Available File2</a>
+    <a href="${asset:context:META-INF}">META-INF</a>
+    <a href="${asset:context:META-INF/}">META-INF/</a>
+    <a href="${asset:context:META-INF/unavailable2.txt}">unavailable2.txt</a>
+    <a href="${asset:context:AssetProtectionDemo.tml}">tml file</a>
+    <a href="${asset:context:music/MusicDetails.tml}">nested tml file</a>
 </html>

Added: tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt?rev=889985&view=auto
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt (added)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/app1/META-INF/unavailable2.txt Sat Dec 12 21:37:21 2009
@@ -0,0 +1 @@
+This file is in META-INF so it should not be available.
\ No newline at end of file

Modified: tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java
URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java?rev=889985&r1=889984&r2=889985&view=diff
==============================================================================
--- tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java (original)
+++ tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/integration/IntegrationTests.java Sat Dec 12 21:37:21 2009
@@ -3293,7 +3293,7 @@
 
     /** TAP5-815 */
     @Test
-    public void testAssetProtection()
+    public void asset_protection()
     {
         //context resourcs should be available by default.
         start("Asset Protection Demo");
@@ -3319,5 +3319,27 @@
         start("Asset Protection Demo");
         clickAndWait("link=Available File2");
         assertTextPresent("This file should be available to clients.");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=META-INF");
+        assertTextPresent("HTTP ERROR: 404");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=META-INF/");
+        assertTextPresent("HTTP ERROR: 404");
+
+        start("Asset Protection Demo");
+        clickAndWait("link=unavailable2.txt");
+        assertTextPresent("HTTP ERROR: 404");
+
+        //tml files...
+        start("Asset Protection Demo");
+        clickAndWait("link=tml file");
+        assertTextPresent("HTTP ERROR: 404");
+
+        //nested tml files...
+        start("Asset Protection Demo");
+        clickAndWait("link=nested tml file");
+        assertTextPresent("HTTP ERROR: 404");
     }
 }