You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org> on 2009/08/15 14:34:14 UTC
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12743694#action_12743694 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
The problem seems to be in this snippet at AssetResourceLocatorImpl:
if (path.startsWith(applicationAssetPrefix))
return findContextResource(path.substring(applicationAssetPrefix.length()));
String resourcePath = aliasManager.toResourcePath(path);
Resource resource = new ClasspathResource(resourcePath);
if (!resourceCache.requiresDigest(resource)) return resource;
The digest is never taken when the resource path starts with the application asset prefix, which is exatcly the path prefix used in this bug.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.