You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tapestry.apache.org by Paul Stanton <pa...@mapshed.com.au> on 2010/11/25 01:13:03 UTC
context asset servlet gives directory listing and access to WEB-INF
I've just noticed in one of my apps (T5.1.0.5) is allowing not only
directory listing via the "assets" servlet (i know it's not a servlet as
such) including access to directory listing and files within WEB-INF.
You can even download .class files.
It is a slightly non standard configuration in that there are a lot of
files under 'webapp' and that libraries are stored in WEB-INF/lib and
classes in WEB-INF/classes.
I decided to test the 'sites using tapestry' listed on the tapestry
homepage to see whether it is a general tapestry issue and although none
expose the internals of WEB-INF, some do provide directory listings:
http://www.cubiculus.com/
disallows dir listing completely
http://www.yanomo.com/
allows dir listing - http://www.yanomo.com/assets/0.9.9/ctx/
disallows WEB-INF access - http://www.yanomo.com/assets/0.9.9/ctx/WEB-INF/
http://recurtrack.com/
allows dir listing - http://recurtrack.com/assets/1.7/ctx/
disallows WEB-INF access http://recurtrack.com/assets/1.7/ctx/WEB-INF/
So my question is, how do I turn off directory listings and how do I
stop access within WEB-INF and META-INF?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: context asset servlet gives directory listing and access to WEB-INF
Posted by Paul Stanton <pa...@mapshed.com.au>.
Thiago, I do want to make sure i disallow directory listings.
agree there is potential for bottleneck so I have changed to:
public boolean service(Request request, Response response,
RequestHandler handler) throws IOException
{
String path = request.getPath();
String contextAssetPath = RequestConstants.ASSET_PATH_PREFIX +
RequestConstants.CONTEXT_FOLDER;
if (path.startsWith(contextAssetPath))
{
if (path.contains("WEB-INF") || path.contains("META-INF"))
return fail(request, response);
// basic test for a file with an extension - avoids
creating a new file
// (not fool proof but problems will be obvious in testing)
String last = path.substring(path.length() - 5);
if (!last.contains("."))
return fail(request, response);
}
LOG.trace("allowed " + path);
return handler.service(request, response);
}
On 26/11/2010 8:03 AM, Thiago H. de Paula Figueiredo wrote:
> On Thu, 25 Nov 2010 18:24:39 -0200, Paul Stanton <pa...@mapshed.com.au>
> wrote:
>
>> Yes tested and it works.
>
> Yay! :)
>
>> I figured since I'm only executing the logic for things that start
>> with /asset/ctx/ the overhead shouldn't be noticeable, however on
>> second thought maybe this isn't a good idea?
>
> There's a possibility it creates a bottleneck, as you're going to the
> file system once before the request is handled normally or access is
> denied. Of course, it depends on the number of context assets you use,
> etc. If it's in the context and it isn't inside WEB-INF, it's probably
> meant to be public, so I wouldn't do this check in your scenario.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: context asset servlet gives directory listing and access to
WEB-INF
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
On Thu, 25 Nov 2010 18:24:39 -0200, Paul Stanton <pa...@mapshed.com.au>
wrote:
> Yes tested and it works.
Yay! :)
> I figured since I'm only executing the logic for things that start with
> /asset/ctx/ the overhead shouldn't be noticeable, however on second
> thought maybe this isn't a good idea?
There's a possibility it creates a bottleneck, as you're going to the file
system once before the request is handled normally or access is denied. Of
course, it depends on the number of context assets you use, etc. If it's
in the context and it isn't inside WEB-INF, it's probably meant to be
public, so I wouldn't do this check in your scenario.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: context asset servlet gives directory listing and access to WEB-INF
Posted by Paul Stanton <pa...@mapshed.com.au>.
Yes tested and it works.
I create the real file so I can disallow all directory listings.
I could do this by testing for the (non)existence of a file extension,
however that isn't technically cross-platform etc...
so i create the file to test whether it's a directory, and disallow if
it is. the 'exists' test is just there because i already have the File
object anyway.
I figured since I'm only executing the logic for things that start with
/asset/ctx/ the overhead shouldn't be noticeable, however on second
thought maybe this isn't a good idea?
what do you think?
p.
On 25/11/2010 10:36 PM, Thiago H. de Paula Figueiredo wrote:
> On Thu, 25 Nov 2010 00:03:03 -0200, Paul Stanton <pa...@mapshed.com.au>
> wrote:
>
>> Thanks Thiago,
>
> Hi!
>
> AFAIK you don't need to check for the real file. Just checking the URL
> is enough.
> Besides this, I think it is ok. Have you tested it already?
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: context asset servlet gives directory listing and access to
WEB-INF
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
On Thu, 25 Nov 2010 00:03:03 -0200, Paul Stanton <pa...@mapshed.com.au>
wrote:
> Thanks Thiago,
Hi!
AFAIK you don't need to check for the real file. Just checking the URL is
enough.
Besides this, I think it is ok. Have you tested it already?
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: context asset servlet gives directory listing and access to WEB-INF
Posted by Paul Stanton <pa...@mapshed.com.au>.
Thanks Thiago,
I have added the following to my AppModule.
public RequestFilter buildAccessFilter(final Context context)
{
return new RequestFilter()
{
@Override
public boolean service(Request request, Response response,
RequestHandler handler) throws IOException
{
String path = request.getPath();
String contextAssetPath =
RequestConstants.ASSET_PATH_PREFIX + RequestConstants.CONTEXT_FOLDER;
if (path.startsWith(contextAssetPath))
{
if (path.contains("WEB-INF") ||
path.contains("META-INF"))
{
LOG.debug("attempted access to protected
resource: " + path);
response.setStatus(403);
return true;
}
String realPath =
path.substring(contextAssetPath.length());
realPath = realPath.substring(path.indexOf('/'));
// remove version
File file = context.getRealFile(realPath);
if (!file.exists() || file.isDirectory())
{
LOG.debug("attempted access to protected
resource: " + path);
response.setStatus(403);
return true;
}
}
LOG.trace("allowed " + path);
return handler.service(request, response);
}
};
}
public void
contributeRequestHandler(OrderedConfiguration<RequestFilter>
configuration, @InjectService("AccessFilter") RequestFilter filter)
{
configuration.add("AccessFilter", filter);
}
On 25/11/2010 11:26 AM, Thiago H. de Paula Figueiredo wrote:
> On Wed, 24 Nov 2010 22:13:03 -0200, Paul Stanton <pa...@mapshed.com.au>
> wrote:
>
>> I've just noticed in one of my apps (T5.1.0.5) is allowing not only
>> directory listing via the "assets" servlet (i know it's not a servlet
>> as such) including access to directory listing and files within
>> WEB-INF. You can even download .class files.
>
> This is a known problem in 5.1.0.5 which, as far as I know, was fixed
> in 5.2. There are some solutions if you search the mailing list or
> JIRA. I use this in a project, inside a RequestFilter:
>
>
> String path = request.getPath();
>
> if (path.endsWith(RequestConstants.ASSET_PATH_PREFIX)) {
> response.setStatus(403);
> return true;
> }
> else if (path.startsWith(RequestConstants.ASSET_PATH_PREFIX)) {
>
> if (path.contains("WEB-INF") ||
> path.endsWith("hibernate.cfg.xml") || path.endsWith(".class") ||
> path.endsWith(".tml") || path.endsWith("salt.properties") ||
> path.contains("META-INF")) {
> response.setStatus(403);
> return true;
> }
>
> return false;
>
> }
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org
Re: context asset servlet gives directory listing and access to
WEB-INF
Posted by "Thiago H. de Paula Figueiredo" <th...@gmail.com>.
On Wed, 24 Nov 2010 22:13:03 -0200, Paul Stanton <pa...@mapshed.com.au>
wrote:
> I've just noticed in one of my apps (T5.1.0.5) is allowing not only
> directory listing via the "assets" servlet (i know it's not a servlet as
> such) including access to directory listing and files within WEB-INF.
> You can even download .class files.
This is a known problem in 5.1.0.5 which, as far as I know, was fixed in
5.2. There are some solutions if you search the mailing list or JIRA. I
use this in a project, inside a RequestFilter:
String path = request.getPath();
if (path.endsWith(RequestConstants.ASSET_PATH_PREFIX)) {
response.setStatus(403);
return true;
}
else if (path.startsWith(RequestConstants.ASSET_PATH_PREFIX)) {
if (path.contains("WEB-INF") || path.endsWith("hibernate.cfg.xml") ||
path.endsWith(".class") || path.endsWith(".tml") ||
path.endsWith("salt.properties") || path.contains("META-INF")) {
response.setStatus(403);
return true;
}
return false;
}
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org