You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Angelo Chen <an...@yahoo.com.hk> on 2009/10/03 12:26:04 UTC

Re: Projects and sites powered by Tapestry

is there a fix for this? the assets got exposed, sometimes a list of
directories, but don't know how re-produce this, just happen one time.


akochnev wrote:
> 
> Benny,
>    indeed that would be the case for a "traditional" web framework that
> serves web application assets (e.g. stylesheets, images, javascript) only
> from the publicly available directories (e.g. outside of WEB-INF).
> However,
> because of T5's component nature , if you deployed a component (e.g. as a
> jar in the web app) it might need to access assets from the classpath
> (e.g.
> from the component jar). Hence, currently there is a wide gaping security
> whole in a "stock" T5 application's Asset service, that it can access any
> files on the classpath (e.g. property files, .tml source, etc). There is
> an
> issue filed for this , some improvements in T5.1, and a few decent
> solutions
> (as the posting above mentions), but the framework is still very
> vulnerable.
> 
> 
> Cheers,
> 
> Alex K
> 
> On Thu, Sep 10, 2009 at 8:56 AM, Benny Law <be...@gmail.com> wrote:
> 
>> Pardon me if I am mistaken, but shouldn't .class and .tml files be under
>> WEB-INF and hence inaccessible automatically?
>>
>> Benny
>>
>> On Thu, Sep 10, 2009 at 2:52 AM, martijn.list <martijn.list@gmail.com
>> >wrote:
>>
>> > Angelo Chen wrote:
>> >
>> >> how to close access to ".class" and ".tml"?
>> >>
>> >>
>> >
>> > This has been posted to the list multiple times so I another time
>> wouldn't
>> > hurt ;)
>> >
>> >
>> > I use the following code to whitelist some assets. Access to non white
>> > listed assets is denied.
>> >
>> > Add to your application module:
>> >
>> >
>> > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
>> > "gif", "js", "css", "ico"};
>> >
>> > /*
>> >  * All the assets that are allowed to be downloaded using the assets
>> > service (including files without extension and dirs)
>> >  */
>> > private static final Set<String> assetsWhitelist =
>> > Collections.synchronizedSet(
>> >        new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));
>> >
>> > public void
>> >
>> contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter>
>> > configuration,
>> >        @Inject @Value("${access-denied-page}") final String
>> > accessDeniedPage)
>> > {
>> >    /*
>> >     * Create a filter that will block access to some assets. The asset
>> > service allows access to some assets we do
>> >     * not want to expose. The asset service will show all files in
>> /assets/
>> > directory and allows you (by default)
>> >     * to download some files which you do not want to expose.
>> >     */
>> >    HttpServletRequestFilter filter = new HttpServletRequestFilter()
>> >    {
>> >        public boolean service(HttpServletRequest request,
>> > HttpServletResponse response, HttpServletRequestHandler handler)
>> >        throws IOException
>> >        {
>> >            String path = request.getServletPath();
>> >
>> >            if (path.startsWith("/assets") &&
>> (!assetsWhitelist.contains(
>> >
>> > StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
>> >            {
>> >                logger.warn("access to asset " + path + " denied");
>> >
>> >                response.sendRedirect(request.getContextPath() + "/" +
>> > accessDeniedPage);
>> >
>> >                return true;
>> >            }
>> >
>> >            return handler.service(request, response);
>> >        }
>> >    };
>> >
>> >    configuration.add("AssetProtectionFilter", filter , "before:*");
>> > }
>> >
>> >
>> >
>> >> Sergey Didenko wrote:
>> >>
>> >>> BTW, it's worth to remind again everyone who is going to publish
>> their
>> >>> site urls, to close the access to ".class" and ".tml" files .
>> >>>
>> >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti <ml...@gmail.com>
>> >>> wrote:
>> >>>
>> >>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
>> >>>> Figueiredo<th...@gmail.com> wrote:
>> >>>>
>> >>>>  Hi!
>> >>>>>
>> >>>>> I guess this was already discussed some time ago, but I couldn't
>> find
>> >>>>> it. :(
>> >>>>> Anyway, it's been a long time, so let's get it started again. ;)
>> >>>>>
>> >>>>> Tapestry is a wonderful framework, but it isn't the best known one
>> >>>>> around.
>> >>>>> Sometimes, managers ask us to provide some projects/sites/success
>> >>>>> stories/etc using it so they can be more confident about Tapestry.
>> >>>>> There's a
>> >>>>> Success Stories page in the wiki
>> >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
>> >>>>> any
>> >>>>> edit
>> >>>>> since 2007-10-05.
>> >>>>>
>> >>>>> What about sharing your success stories with us, promoting Tapestry
>> >>>>> (specially T5)? If the project is a public website, please post the
>> URL
>> >>>>> here. I think we should have a list of Tapestry-powered sites.
>> >>>>>
>> >>>>> Thanks in advance.
>> >>>>>
>> >>>> It would be great to have that page more up to date but i remember
>> >>>> Howard asking for "private" user stories and more then one have
>> >>>> replied him even personally so i guess if that would make sense too
>> to
>> >>>> have that stories online.
>> >>>> Do i remember correctly Howard?
>> >>>>
>> >>>> --
>> >>>> Massimo
>> >>>> http://meridio.blogspot.com
>> >>>>
>> >>>>
>> ---------------------------------------------------------------------
>> >>>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> >>>> For additional commands, e-mail: users-help@tapestry.apache.org
>> >>>>
>> >>>>
>> >>>> 
>> ---------------------------------------------------------------------
>> >>> To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> >>> For additional commands, e-mail: users-help@tapestry.apache.org
>> >>>
>> >>>
>> >>>
>> >>>
>> >>
>> >
>> > --
>> > Djigzo open source email encryption
>> >
>> > ---------------------------------------------------------------------
>> > To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
>> > For additional commands, e-mail: users-help@tapestry.apache.org
>> >
>> >
>>
> 
> 

-- 
View this message in context: http://www.nabble.com/Projects-and-sites-powered-by-Tapestry-tp25348447p25727490.html
Sent from the Tapestry - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org