You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Ulrich Stärk (JIRA)" <ji...@apache.org> on 2010/01/13 10:32:55 UTC
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799666#action_12799666 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
It seems we still don't got it right 100%. In order for common context assets like images, css and js to be available, the user has to set SymbolConstants.CONTEXT_ASSETS_AVAILABLE to true OR contribute to the regex authorizer. Since everyone will want common assets to be available and set it to true (because it's the easiest thing to do), this is useless and just represents an additional burden to the user.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.