You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org> on 2009/08/15 14:22:14 UTC
[jira] Created: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Asset dispatcher allows any file inside the webapp visible and downloadable
---------------------------------------------------------------------------
Key: TAP5-815
URL: https://issues.apache.org/jira/browse/TAP5-815
Project: Tapestry 5
Issue Type: Bug
Affects Versions: 5.1.0.5
Reporter: Thiago H. de Paula Figueiredo
Priority: Blocker
Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
Re: [jira] Closed: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by Massimo Lusetti <ml...@gmail.com>.
On Fri, Dec 11, 2009 at 1:27 AM, Andreas Andreou <an...@di.uoa.gr> wrote:
> great to see this closed!
>
> afaik, there's no other 'promised' pending issue for 5.0.19, right?
> If that's true and everyone agrees, we can go on with that release first!
That would be great!
--
Massimo
http://meridio.blogspot.com
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: [jira] Closed: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
Posted by Robert Zeigler <ro...@scazdl.org>.
5.0.19 should be fine.
Turns out, there are still some tweaks needed for 5.1.0.6 and 5.2.0,
but those are all related to the proper protection of WEB-INF and META-
INF along with the proper opening (by default) of the remaining static
context assets. 5.0.19 doesn't serve context assets through
AssetDispatcher, so it doesn't have these same issues.
Robert
On Dec 10, 2009, at 12/106:27 PM , Andreas Andreou wrote:
> great to see this closed!
>
> afaik, there's no other 'promised' pending issue for 5.0.19, right?
> If that's true and everyone agrees, we can go on with that release
> first!
>
> On Fri, Dec 11, 2009 at 1:50 AM, Robert Zeigler (JIRA) <jira@apache.org
> > wrote:
>>
>> [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
>> ]
>>
>> Robert Zeigler closed TAP5-815.
>> -------------------------------
>>
>> Resolution: Fixed
>> Fix Version/s: 5.0.19
>> 5.1.0.6
>> 5.2.0
>>
>>> Asset dispatcher allows any file inside the webapp visible and
>>> downloadable
>>> ---------------------------------------------------------------------------
>>>
>>> Key: TAP5-815
>>> URL: https://issues.apache.org/jira/browse/TAP5-815
>>> Project: Tapestry 5
>>> Issue Type: Bug
>>> Affects Versions: 5.1.0.5
>>> Reporter: Thiago H. de Paula Figueiredo
>>> Assignee: Robert Zeigler
>>> Priority: Blocker
>>> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>>>
>>>
>>> Take any asset and you have an URL like domain.com/assets/ctx/
>>> f10407a6c1753e39/css/main.css. If you request domain.com/assets/
>>> ctx/f10407a6c1753e39/, a list containing all the files inside the
>>> webapp root is shown. It gives you the hint at downloading any
>>> file you want, including anyting inside WEB-INF and assets that
>>> should be protected by ResourceDigestGenerator.
>>
>> --
>> This message is automatically generated by JIRA.
>> -
>> You can reply to this email to add a comment to the issue online.
>>
>>
>
>
>
> --
> Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
> Tapestry / Tacos developer
> Open Source / JEE Consulting
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: [jira] Closed: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by Andreas Andreou <an...@di.uoa.gr>.
great to see this closed!
afaik, there's no other 'promised' pending issue for 5.0.19, right?
If that's true and everyone agrees, we can go on with that release first!
On Fri, Dec 11, 2009 at 1:50 AM, Robert Zeigler (JIRA) <ji...@apache.org> wrote:
>
> [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> Robert Zeigler closed TAP5-815.
> -------------------------------
>
> Resolution: Fixed
> Fix Version/s: 5.0.19
> 5.1.0.6
> 5.2.0
>
>> Asset dispatcher allows any file inside the webapp visible and downloadable
>> ---------------------------------------------------------------------------
>>
>> Key: TAP5-815
>> URL: https://issues.apache.org/jira/browse/TAP5-815
>> Project: Tapestry 5
>> Issue Type: Bug
>> Affects Versions: 5.1.0.5
>> Reporter: Thiago H. de Paula Figueiredo
>> Assignee: Robert Zeigler
>> Priority: Blocker
>> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>>
>>
>> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
>
> --
> This message is automatically generated by JIRA.
> -
> You can reply to this email to add a comment to the issue online.
>
>
--
Andreas Andreou - andyhot@apache.org - http://blog.andyhot.gr
Tapestry / Tacos developer
Open Source / JEE Consulting
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Alex Kotchnev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773653#action_12773653 ]
Alex Kotchnev commented on TAP5-815:
------------------------------------
I'm totally blown away by the lack of interest this issue has received. In my opinion, this is the type of issue that FORCES a point release, it is that severe and important. There are several existing solutions that can easily be plugged into the framework, yet no action.
To my dismay, this has been open since Aug, and the issue has been known for 5.0 for a lot longer than that.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747826#action_12747826 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
In 5.2-SNAPSHOT you can still access files located on the classpath or in the webapp context, except for .class und .tml files in the classpath (due to ResourceDigestGenerator). .tml files in the context are still accessible. There is no directory listing though. So this also partly applies to the current development tree.
The problem here is that Tapestry is using a blacklisting approach: It allows all access unless otherwise specified, for example by contributing to the ResourceDigestGenerator. This principle is unsecure by design. Instead Tapestry should do whitelisting, i.e. only allow access to explicitly allowed resources. Since Tapestry already knows about all the Assets required by a page or component (by looking at the @Path, @IncludeJavaScriptLibrary and @IncludeStylesheet annotations and the context: and asset: binding prefixes), such a whitelisting approach could be realized: Just allow access to Assets really required by pages or components.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774014#action_12774014 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
My thought was to backport the change into the 5.0.x branch and add a security-update release.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774014#action_12774014 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
My thought was to backport the change into the 5.0.x branch and add a security-update release.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Geoff Callender (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12790626#action_12790626 ]
Geoff Callender commented on TAP5-815:
--------------------------------------
Good stuff, Robert.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler reopened TAP5-815:
---------------------------------
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748050#action_12748050 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Ulrich, "Just allow access to Assets really required by pages or components" is easier said than done. The assets required by a page are not known until the first time a page is requested and the correspond page model is built. Which means that it's difficult, at best, for an IOC module to access this information at service instantiation time; it will be instantiated when the first request comes in, /before/ the corresponding page is even loaded (due to dispatcher ordering), and that's on the first request, for a single page, before any other pages are loaded. Any sort of asset authorization service that wanted to auto-enable required assets would need to have some sort of "addVisibleResource" method that is called whenever an asset is encountered/created during render. I would advocate instead a whitelist approach where allowed files/file patterns are contributed via ioc contributions. This would simplify things significantly.
As for assets used only by components, pages, and mixins, that's also a bit tricky, since it's possible for someone to write an alternative asset source that's used, eg, for file downloads (ie, not necessarily directly referenced by a page/component/mixin).
Incidentally, a long while ago, I implemented and made available for public use an "AssetProtectionDispatcher" that is configured essentially via chain of command as specified by Thiago above, with slight variation (a bit more flexible; individual contributions specify whether they explicitly allow or deny access). The module further provides two "AssetPathAuthorizer" implementations: one for explicit whitelisting by resource name, and the other for whitelisting by url pattern, with the whitelist being the last in the chain of command. The module contributes a default set of values to the whitelist (everything used by tapestry's core components), but you'll need to add explicit access to other resources (eg: contributing a .*\.jpg to the RegexAuthorizer).
Maven repo:
http://maven.saiwai-solutions.com
groupid: com.saiwaisolutions
artifactid: AssetProtectionDispatcher
version: 1.0.0
Alternatively, an older version is available on Tassel:
http://saiwai-solutions.com/Tassel/app?service=external/ViewComponent&sp=SAssetProtectionDispatcher
Version 1.0.0 also adds some default configurations to handle chenillekit-based assets.
Cheers!
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799781#action_12799781 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
To 1): You are right. That stupid m2eclipse was using a snapshot from december instead of updating it to the most recent and I had workspace resolution turned off.
To 2): But most will.
To 3): Acknowledged. That's a good thing.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "David Rees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774000#action_12774000 ]
David Rees commented on TAP5-815:
---------------------------------
FWIW, Robert's plugin appears to be working for us so far in our T5.1.0.5 application, and agree with it's approach.
But what about legacy T5.0.18 apps? We don't always have the ability of performing major updates to those apps (to upgrade to T5.1) in a timely manner...
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko closed TAP5-815.
-------------------------------
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773897#action_12773897 ]
Igor Drobiazko commented on TAP5-815:
-------------------------------------
So you prefer the ResourceDigestGenerator solution described by Ulrich? What about your concerns in TAP5-896? No more concerns?
As Ulrich suggested creating a digest for context asstes seems to be ok.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12789621#action_12789621 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Tricky devil.
There are still some issues in the 5.1 branch and trunk related to context asset handling and protecting vs. opening the correct set of assets. Reopening for now.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TAP5-815) Asset dispatcher allows any
file inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776968#action_12776968 ]
Ulrich Stärk edited comment on TAP5-815 at 11/12/09 12:30 PM:
--------------------------------------------------------------
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
with @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion
Otherwise access to css,js,jpg and all the other stuff coming from the individual application is denied by default. I know the docs say exactly so but I think allowing some standard stuff from out of the box is OK. People might just spend too much time figuring out why some standard things like css files, javascripts and pictures are blocked.
Uli
was (Author: ulrich.staerk):
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
Otherwise access to css,js,jpg and all the other stuff coming from the individual application is denied by default. I know the docs say exactly so but I think allowing some standard stuff from out of the box is OK. People might just spend too much time figuring out why some standard things like css files, javascripts and pictures are blocked.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Jochen Kemnade (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802141#action_12802141 ]
Jochen Kemnade commented on TAP5-815:
-------------------------------------
In the current solution (as of 5.1.0.7) there is still a problem with two of the datefield component's image assets, whose basenames contain periods. I created a new issue for that (TAP5-989).
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Alex Kotchnev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774018#action_12774018 ]
Alex Kotchnev commented on TAP5-815:
------------------------------------
If I recall correctly, the AssetDispatcher worked fine in 5.0.x (excluding a blackbird issue that I think was fixed in Asset Dispatcher 1.0).
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12743694#action_12743694 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
The problem seems to be in this snippet at AssetResourceLocatorImpl:
if (path.startsWith(applicationAssetPrefix))
return findContextResource(path.substring(applicationAssetPrefix.length()));
String resourcePath = aliasManager.toResourcePath(path);
Resource resource = new ClasspathResource(resourcePath);
if (!resourceCache.requiresDigest(resource)) return resource;
The digest is never taken when the resource path starts with the application asset prefix, which is exatcly the path prefix used in this bug.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Geoff Callender (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12790626#action_12790626 ]
Geoff Callender commented on TAP5-815:
--------------------------------------
Good stuff, Robert.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773954#action_12773954 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
If the consensus is to incorporate the AssetProtectionDispatcher + whitelist contributions from the module I wrote, then I'm happy to donate that code to the tapestry project. If I don't here any nays before then, I'll integrate it this weekend.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12743694#action_12743694 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
The problem seems to be in this snippet at AssetResourceLocatorImpl:
if (path.startsWith(applicationAssetPrefix))
return findContextResource(path.substring(applicationAssetPrefix.length()));
String resourcePath = aliasManager.toResourcePath(path);
Resource resource = new ClasspathResource(resourcePath);
if (!resourceCache.requiresDigest(resource)) return resource;
The digest is never taken when the resource path starts with the application asset prefix, which is exatcly the path prefix used in this bug.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko updated TAP5-815:
--------------------------------
Fix Version/s: 5.1.0.7
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12790116#action_12790116 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Geoff:
1) Yes.
2) yes.
3) yes.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776958#action_12776958 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
Don't close it yet. I just created a project from the archetype and somehow the css file containing the layout can't be accessed although css is added to the whitelist by default. I'm investigating.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "David Rees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773640#action_12773640 ]
David Rees commented on TAP5-815:
---------------------------------
This similarly 5.0.18 similarly as well - and the issue has been open for quite some time. Is 5.0 maintained at all for security related issues? What about 5.1?
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773900#action_12773900 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
I don't think Robert's solution wouldn't make anything available because it's whitelist-based. Or did I miss something?
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774051#action_12774051 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
oh, right. makes more sense... :)
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773838#action_12773838 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
I guess we could, but having another mechanism for securing assets (in addition to ResourceDigestGenerator) adds another layer of complexity. So if we integrated that into Tapestry - and we definitely have to integrate something as important as this - we should get rid of ResourceDigestGenerator.
Alternatively we could use ResourceDigestGenerator to also secure context assets and integrate Christians code snippet to prevent direcotry listings, but I prefer Roberts solution since it is much more flexible.
His code is missing any licensing terms though, so I don't know whether we can just integrate it.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774046#action_12774046 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Pretty sure Alex was referring to the functionality of my AssetProtectionDispatcher withi 5.0.18.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747889#action_12747889 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
Accessing a Tapestry-managed asset from a non-Tapestry source like a static html file should be avoided IMO. Such assets should be stored in the webapp context and can than be handled by the container and not by Tapestry.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler closed TAP5-815.
-------------------------------
Resolution: Fixed
Fix Version/s: 5.0.19
5.1.0.6
5.2.0
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler reassigned TAP5-815:
-----------------------------------
Assignee: Robert Zeigler
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747889#action_12747889 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
Accessing a Tapestry-managed asset from a non-Tapestry source like a static html file should be avoided IMO. Such assets should be stored in the webapp context and can than be handled by the container and not by Tapestry.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko updated TAP5-815:
--------------------------------
Fix Version/s: 5.1.0.7
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776958#action_12776958 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
Don't close it yet. I just created a project from the archetype and somehow the css file containing the layout can't be accessed although css is added to the whitelist by default. I'm investigating.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Köberl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774227#action_12774227 ]
Christian Köberl commented on TAP5-815:
---------------------------------------
I just "hacked" our application and found even more concerning thing - if you add a "/" to your URL you can even look at assets extensions contributed to ResourceDigestGenerator (default: tml, class).
We use this mechanism to hide assets like xml, properties, ...
This requires a digest:
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml
This works:
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml/
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.class/
Could any committer please add this to AssetDispatcher line 65 (in 5.1.0.5):
if(path.endsWith("/") || path.indexOf('.') < 0)
return false;
And then create 5.0.19 and 5.1.0.6.
I know this will not fix everything but at least not all Tapestry apps out there are open as a book.
Thanks,
Chris
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Alex Kotchnev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773923#action_12773923 ]
Alex Kotchnev commented on TAP5-815:
------------------------------------
It seems to me that integrating Robert's AssetProtectionDispatcher as the default in the framework, together w/ an entry in the main docs explaining the types of assets that are "open" by default (e.g. maybe opening up *.css, *.js, *.jpg) would do it for most uses. There certainly seem to be more "advanced" solutions with the framework automatically whitelisting anything referenced as an Asset, but it seems the complexity would slow down releasing something ASAP.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773830#action_12773830 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
well it's just half as popular as TAP-138 :)
i think if anyone contributes a framework-ready solution, some committer will do a security release.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TAP5-815) Asset dispatcher allows any
file inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776968#action_12776968 ]
Ulrich Stärk edited comment on TAP5-815 at 11/12/09 12:30 PM:
--------------------------------------------------------------
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
with @Symbol(SymbolConstants.APPLICATION_VERSION) String appVersion
Otherwise access to css,js,jpg and all the other stuff coming from the individual application is denied by default. I know the docs say exactly so but I think allowing some standard stuff from out of the box is OK. People might just spend too much time figuring out why some standard things like css files, javascripts and pictures are blocked.
Uli
was (Author: ulrich.staerk):
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
Otherwise access to css,js,jpg and all the other stuff coming from the individual application is denied by default. I know the docs say exactly so but I think allowing some standard stuff from out of the box is OK. People might just spend too much time figuring out why some standard things like css files, javascripts and pictures are blocked.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler resolved TAP5-815.
---------------------------------
Resolution: Fixed
:Fixed for real this time. META-INF and WEB-INF protected, .tml files protected, other context assets available, non-whitelisted classpath assets protected,
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773833#action_12773833 ]
Igor Drobiazko commented on TAP5-815:
-------------------------------------
Can we live with Robert's solution? Please comment.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Alex Kotchnev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773923#action_12773923 ]
Alex Kotchnev commented on TAP5-815:
------------------------------------
It seems to me that integrating Robert's AssetProtectionDispatcher as the default in the framework, together w/ an entry in the main docs explaining the types of assets that are "open" by default (e.g. maybe opening up *.css, *.js, *.jpg) would do it for most uses. There certainly seem to be more "advanced" solutions with the framework automatically whitelisting anything referenced as an Asset, but it seems the complexity would slow down releasing something ASAP.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TAP5-815) Asset dispatcher allows any
file inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773954#action_12773954 ]
Robert Zeigler edited comment on TAP5-815 at 11/5/09 3:58 PM:
--------------------------------------------------------------
If the consensus is to incorporate the AssetProtectionDispatcher + whitelist contributions from the module I wrote, then I'm happy to donate that code to the tapestry project. If I don't hear any nays before then, I'll integrate it this weekend.
was (Author: ongakugainochi):
If the consensus is to incorporate the AssetProtectionDispatcher + whitelist contributions from the module I wrote, then I'm happy to donate that code to the tapestry project. If I don't here any nays before then, I'll integrate it this weekend.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775085#action_12775085 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Hey Chris,
I just committed the AssetProtectionDispatcher stuff (to 5.0 and 5.1 branches and to trunk). That should solve your issue, but if you want to double check that, it would be great.
Leaving this issue open for the time being to give people a chance to review. I'll close it tonight or tomorrow if I don't hear anything more.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773907#action_12773907 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I'm sorry. I was talking about Christian Köberl, not Robert's one. In fact, I completely agree with Robert's approach. That's exactly what I would do. It's the approach I use in my Tapestry Access Logger package to define what URL's are logged are what aren't.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773893#action_12773893 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I don't think Robert's solution is enough, as attackers can still guess some files location (hibernate.cfg.xml and web.xml, for example) even without the directory listing. I think a viable solution would be the one I proposed in the first commet.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773838#action_12773838 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
I guess we could, but having another mechanism for securing assets (in addition to ResourceDigestGenerator) adds another layer of complexity. So if we integrated that into Tapestry - and we definitely have to integrate something as important as this - we should get rid of ResourceDigestGenerator.
Alternatively we could use ResourceDigestGenerator to also secure context assets and integrate Christians code snippet to prevent direcotry listings, but I prefer Roberts solution since it is much more flexible.
His code is missing any licensing terms though, so I don't know whether we can just integrate it.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler resolved TAP5-815.
---------------------------------
Resolution: Fixed
:Fixed for real this time. META-INF and WEB-INF protected, .tml files protected, other context assets available, non-whitelisted classpath assets protected,
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TAP5-815) Asset dispatcher allows any
file inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773954#action_12773954 ]
Robert Zeigler edited comment on TAP5-815 at 11/5/09 3:58 PM:
--------------------------------------------------------------
If the consensus is to incorporate the AssetProtectionDispatcher + whitelist contributions from the module I wrote, then I'm happy to donate that code to the tapestry project. If I don't hear any nays before then, I'll integrate it this weekend.
was (Author: ongakugainochi):
If the consensus is to incorporate the AssetProtectionDispatcher + whitelist contributions from the module I wrote, then I'm happy to donate that code to the tapestry project. If I don't here any nays before then, I'll integrate it this weekend.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747826#action_12747826 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
In 5.2-SNAPSHOT you can still access files located on the classpath or in the webapp context, except for .class und .tml files in the classpath (due to ResourceDigestGenerator). .tml files in the context are still accessible. There is no directory listing though. So this also partly applies to the current development tree.
The problem here is that Tapestry is using a blacklisting approach: It allows all access unless otherwise specified, for example by contributing to the ResourceDigestGenerator. This principle is unsecure by design. Instead Tapestry should do whitelisting, i.e. only allow access to explicitly allowed resources. Since Tapestry already knows about all the Assets required by a page or component (by looking at the @Path, @IncludeJavaScriptLibrary and @IncludeStylesheet annotations and the context: and asset: binding prefixes), such a whitelisting approach could be realized: Just allow access to Assets really required by pages or components.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Köberl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774227#action_12774227 ]
Christian Köberl commented on TAP5-815:
---------------------------------------
I just "hacked" our application and found even more concerning thing - if you add a "/" to your URL you can even look at assets extensions contributed to ResourceDigestGenerator (default: tml, class).
We use this mechanism to hide assets like xml, properties, ...
This requires a digest:
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml
This works:
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml/
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.class/
Could any committer please add this to AssetDispatcher line 65 (in 5.1.0.5):
if(path.endsWith("/") || path.indexOf('.') < 0)
return false;
And then create 5.0.19 and 5.1.0.6.
I know this will not fix everything but at least not all Tapestry apps out there are open as a book.
Thanks,
Chris
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773900#action_12773900 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
I don't think Robert's solution wouldn't make anything available because it's whitelist-based. Or did I miss something?
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747886#action_12747886 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I agree with Ulrich that a whitelist approach is probably the best one, but allowing onle access to assets used in pages is too restrictive IMHO. It would make working with anything that isn't a Tapestry page a hassle. I would suggest to have a chain of command, each object in it receiving the requested URL and responding true (ok), false (file is forbidden) or null (this object doesn't handle this URL, ask the same thing to the next object. This chain of command terminator would be a very restrictive one.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773906#action_12773906 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
No you didn't. Robert's solution includes a whitelist approach. It should protect anything that's not explicitly allowed, including xml files such as those mentioned by Thiago.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774046#action_12774046 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Pretty sure Alex was referring to the functionality of my AssetProtectionDispatcher withi 5.0.18.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Igor Drobiazko closed TAP5-815.
-------------------------------
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773833#action_12773833 ]
Igor Drobiazko commented on TAP5-815:
-------------------------------------
Can we live with Robert's solution? Please comment.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Igor Drobiazko (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773897#action_12773897 ]
Igor Drobiazko commented on TAP5-815:
-------------------------------------
So you prefer the ResourceDigestGenerator solution described by Ulrich? What about your concerns in TAP5-896? No more concerns?
As Ulrich suggested creating a digest for context asstes seems to be ok.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12789621#action_12789621 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Tricky devil.
There are still some issues in the 5.1 branch and trunk related to context asset handling and protecting vs. opening the correct set of assets. Reopening for now.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Geoff Callender (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785188#action_12785188 ]
Geoff Callender commented on TAP5-815:
--------------------------------------
Hey Robert,
I haven't had a chance to review the AssetProtectionDispatcher, but can you confirm its default setup matches the following bits of the servlet spec? I think the servlet spec describes the behaviour that developers would reasonably expect, regardless of the fact that T5 doesn't use servlets.
1. ALWAYS deny clients access to WEB-INF:
"any requests from the client to access the resources in WEB-INF/ directory must be returned with a SC_NOT_FOUND(404) response." (Servlet Spec 2.4 section 9.5)
2. ALWAYS deny clients access to META-INF:
"any requests to access the resources in META-INF directory must be returned with a SC_NOT_FOUND(404) response." (Servlet spec 2.4 section 9.6)
3. By default, allow access to static resources:
"Web containers are required to support access to web resources by clients that have not authenticated themselves to the container. This is the common mode of access to web resources on the Internet." (Servlet Spec 2.4 section 12.7)
If resources such as .tml files need to be hidden then either move them into WEB-INF/classes (which I'd argue is where they belong anyway as they are a non-configurable part of the app) or blacklist them.
As for displaying index pages as the client traverses the resources, I think we're all agreed it's wrong.
Geoff
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Jochen Kemnade (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12802141#action_12802141 ]
Jochen Kemnade commented on TAP5-815:
-------------------------------------
In the current solution (as of 5.1.0.7) there is still a problem with two of the datefield component's image assets, whose basenames contain periods. I created a new issue for that (TAP5-989).
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799751#action_12799751 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Not quite true, on three accounts,
1) Users don't have to make any contributions... at least, they shouldn't. See TapestryModule line 2398 in trunk (2091 in 5.1 branch). We contribute the symbol as "true" to factory defaults.
2) It's not true that "everyone" will want common assets to be available. :)
3) It's no longer just "common" context assets that are available by default. In the /context/, the availability should be following the servlet spec, as per Geoff Callender's 03/Dec/09 comment.
Cheers.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774051#action_12774051 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
oh, right. makes more sense... :)
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774042#action_12774042 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
@Alex: the issue definitely affects 5.0.18, too! I pointed this out in a discussion on the mailing list. Just have a look into the second post in the thread:
http://old.nabble.com/Running-Tapestry-5.0.18-on-Google-App-Engine-ts25133064s302.html
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776968#action_12776968 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
Otherwise access to css,js,jpg and all the other stuff coming from the individual application is denied by default. I know the docs say exactly so but I think allowing some standard stuff from out of the box is OK. People might just spend too much time figuring out why some standard things like css files, javascripts and pictures are blocked.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "J le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776391#action_12776391 ]
J le Roux commented on TAP5-815:
--------------------------------
I can confirm that it works with 5.0.19-SNAPSHOT (svn version 834439, https://svn.apache.org/repos/asf/tapestry/tapestry5/branches/5.0).
Thanks!
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773906#action_12773906 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
No you didn't. Robert's solution includes a whitelist approach. It should protect anything that's not explicitly allowed, including xml files such as those mentioned by Thiago.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747895#action_12747895 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I agree with Ulrich. The Tapestry asset handling should only be used by Tapestry components, pages and mixins.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "David Rees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774000#action_12774000 ]
David Rees commented on TAP5-815:
---------------------------------
FWIW, Robert's plugin appears to be working for us so far in our T5.1.0.5 application, and agree with it's approach.
But what about legacy T5.0.18 apps? We don't always have the ability of performing major updates to those apps (to upgrade to T5.1) in a timely manner...
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774042#action_12774042 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
@Alex: the issue definitely affects 5.0.18, too! I pointed this out in a discussion on the mailing list. Just have a look into the second post in the thread:
http://old.nabble.com/Running-Tapestry-5.0.18-on-Google-App-Engine-ts25133064s302.html
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Alex Kotchnev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774018#action_12774018 ]
Alex Kotchnev commented on TAP5-815:
------------------------------------
If I recall correctly, the AssetDispatcher worked fine in 5.0.x (excluding a blackbird issue that I think was fixed in Asset Dispatcher 1.0).
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler reopened TAP5-815:
---------------------------------
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TAP5-815) Asset dispatcher allows any
file inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773900#action_12773900 ]
Christian Riedel edited comment on TAP5-815 at 11/5/09 11:31 AM:
-----------------------------------------------------------------
I don't think Robert's solution would make anything available because it's whitelist-based. Or did I miss something?
was (Author: cbln):
I don't think Robert's solution wouldn't make anything available because it's whitelist-based. Or did I miss something?
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773907#action_12773907 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I'm sorry. I was talking about Christian Köberl, not Robert's one. In fact, I completely agree with Robert's approach. That's exactly what I would do. It's the approach I use in my Tapestry Access Logger package to define what URL's are logged are what aren't.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747886#action_12747886 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I agree with Ulrich that a whitelist approach is probably the best one, but allowing onle access to assets used in pages is too restrictive IMHO. It would make working with anything that isn't a Tapestry page a hassle. I would suggest to have a chain of command, each object in it receiving the requested URL and responding true (ok), false (file is forbidden) or null (this object doesn't handle this URL, ask the same thing to the next object. This chain of command terminator would be a very restrictive one.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Assigned: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler reassigned TAP5-815:
-----------------------------------
Assignee: Robert Zeigler
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "David Rees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773640#action_12773640 ]
David Rees commented on TAP5-815:
---------------------------------
This similarly 5.0.18 similarly as well - and the issue has been open for quite some time. Is 5.0 maintained at all for security related issues? What about 5.1?
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "David Rees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774038#action_12774038 ]
David Rees commented on TAP5-815:
---------------------------------
@Robert - Thanks that sounds great!
@Alex - Not sure what you mean - I just tested one of my 5.0.18 apps yesterday and I was able to download assets without issue.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Köberl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773228#action_12773228 ]
Christian Köberl commented on TAP5-815:
---------------------------------------
At least the directory index should be fixed quickly. This is a massive security issue for all Tapestry applications.
e.g. http://tapestry-test.appspot.com/assets/
A simple check in AssetDispatcher like this would help:
if(path.endsWith("/") || path.indexOf('.') < 0)
return false;
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Issue Comment Edited: (TAP5-815) Asset dispatcher allows any
file inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773900#action_12773900 ]
Christian Riedel edited comment on TAP5-815 at 11/5/09 11:31 AM:
-----------------------------------------------------------------
I don't think Robert's solution would make anything available because it's whitelist-based. Or did I miss something?
was (Author: cbln):
I don't think Robert's solution wouldn't make anything available because it's whitelist-based. Or did I miss something?
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748057#action_12748057 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
I had some singleton service holding a collection of allowed assets in mind. This would be injected into AssetSource and queried whether access should be allowed. Allowde Assets get added from AssetObjectProvider, AssetInjectionProvider, IncludeJavaScriptLibraryWorker, IncludeStylesheetWorker, ContextBindingFactory and AssetBindingFactory.
If people choose to override the default AssetSource they have to live with being responsible for taking care of security. We could btw. also do the checks in the corresponding AssetFactories.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747895#action_12747895 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I agree with Ulrich. The Tapestry asset handling should only be used by Tapestry components, pages and mixins.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "David Rees (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774038#action_12774038 ]
David Rees commented on TAP5-815:
---------------------------------
@Robert - Thanks that sounds great!
@Alex - Not sure what you mean - I just tested one of my 5.0.18 apps yesterday and I was able to download assets without issue.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773954#action_12773954 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
If the consensus is to incorporate the AssetProtectionDispatcher + whitelist contributions from the module I wrote, then I'm happy to donate that code to the tapestry project. If I don't here any nays before then, I'll integrate it this weekend.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "J le Roux (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776391#action_12776391 ]
J le Roux commented on TAP5-815:
--------------------------------
I can confirm that it works with 5.0.19-SNAPSHOT (svn version 834439, https://svn.apache.org/repos/asf/tapestry/tapestry5/branches/5.0).
Thanks!
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799751#action_12799751 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Not quite true, on three accounts,
1) Users don't have to make any contributions... at least, they shouldn't. See TapestryModule line 2398 in trunk (2091 in 5.1 branch). We contribute the symbol as "true" to factory defaults.
2) It's not true that "everyone" will want common assets to be available. :)
3) It's no longer just "common" context assets that are available by default. In the /context/, the availability should be following the servlet spec, as per Geoff Callender's 03/Dec/09 comment.
Cheers.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Köberl (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773228#action_12773228 ]
Christian Köberl commented on TAP5-815:
---------------------------------------
At least the directory index should be fixed quickly. This is a massive security issue for all Tapestry applications.
e.g. http://tapestry-test.appspot.com/assets/
A simple check in AssetDispatcher like this would help:
if(path.endsWith("/") || path.indexOf('.') < 0)
return false;
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (TAP5-815) Asset dispatcher allows any file inside
the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Zeigler closed TAP5-815.
-------------------------------
Resolution: Fixed
Fix Version/s: 5.0.19
5.1.0.6
5.2.0
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799666#action_12799666 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
It seems we still don't got it right 100%. In order for common context assets like images, css and js to be available, the user has to set SymbolConstants.CONTEXT_ASSETS_AVAILABLE to true OR contribute to the regex authorizer. Since everyone will want common assets to be available and set it to true (because it's the easiest thing to do), this is useless and just represents an additional burden to the user.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Geoff Callender (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12785188#action_12785188 ]
Geoff Callender commented on TAP5-815:
--------------------------------------
Hey Robert,
I haven't had a chance to review the AssetProtectionDispatcher, but can you confirm its default setup matches the following bits of the servlet spec? I think the servlet spec describes the behaviour that developers would reasonably expect, regardless of the fact that T5 doesn't use servlets.
1. ALWAYS deny clients access to WEB-INF:
"any requests from the client to access the resources in WEB-INF/ directory must be returned with a SC_NOT_FOUND(404) response." (Servlet Spec 2.4 section 9.5)
2. ALWAYS deny clients access to META-INF:
"any requests to access the resources in META-INF directory must be returned with a SC_NOT_FOUND(404) response." (Servlet spec 2.4 section 9.6)
3. By default, allow access to static resources:
"Web containers are required to support access to web resources by clients that have not authenticated themselves to the container. This is the common mode of access to web resources on the Internet." (Servlet Spec 2.4 section 12.7)
If resources such as .tml files need to be hidden then either move them into WEB-INF/classes (which I'd argue is where they belong anyway as they are a non-configurable part of the app) or blacklist them.
As for displaying index pages as the client traverses the resources, I think we're all agreed it's wrong.
Geoff
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799666#action_12799666 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
It seems we still don't got it right 100%. In order for common context assets like images, css and js to be available, the user has to set SymbolConstants.CONTEXT_ASSETS_AVAILABLE to true OR contribute to the regex authorizer. Since everyone will want common assets to be available and set it to true (because it's the easiest thing to do), this is useless and just represents an additional burden to the user.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12790116#action_12790116 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Geoff:
1) Yes.
2) yes.
3) yes.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Alex Kotchnev (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773653#action_12773653 ]
Alex Kotchnev commented on TAP5-815:
------------------------------------
I'm totally blown away by the lack of interest this issue has received. In my opinion, this is the type of issue that FORCES a point release, it is that severe and important. There are several existing solutions that can easily be plugged into the framework, yet no action.
To my dismay, this has been open since Aug, and the issue has been known for 5.0 for a lot longer than that.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748057#action_12748057 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
I had some singleton service holding a collection of allowed assets in mind. This would be injected into AssetSource and queried whether access should be allowed. Allowde Assets get added from AssetObjectProvider, AssetInjectionProvider, IncludeJavaScriptLibraryWorker, IncludeStylesheetWorker, ContextBindingFactory and AssetBindingFactory.
If people choose to override the default AssetSource they have to live with being responsible for taking care of security. We could btw. also do the checks in the corresponding AssetFactories.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12776968#action_12776968 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
There should be an additional contribution to the RegexAuthorizer service:
regex.add(RequestConstants.CONTEXT_FOLDER + appVersion + "/" + pathPattern);
Otherwise access to css,js,jpg and all the other stuff coming from the individual application is denied by default. I know the docs say exactly so but I think allowing some standard stuff from out of the box is OK. People might just spend too much time figuring out why some standard things like css files, javascripts and pictures are blocked.
Uli
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Christian Riedel (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773830#action_12773830 ]
Christian Riedel commented on TAP5-815:
---------------------------------------
well it's just half as popular as TAP-138 :)
i think if anyone contributes a framework-ready solution, some committer will do a security release.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12775085#action_12775085 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Hey Chris,
I just committed the AssetProtectionDispatcher stuff (to 5.0 and 5.1 branches and to trunk). That should solve your issue, but if you want to double check that, it would be great.
Leaving this issue open for the time being to give people a chance to review. I'll close it tonight or tomorrow if I don't hear anything more.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Thiago H. de Paula Figueiredo (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773893#action_12773893 ]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I don't think Robert's solution is enough, as attackers can still guess some files location (hibernate.cfg.xml and web.xml, for example) even without the directory listing. I think a viable solution would be the one I proposed in the first commet.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Robert Zeigler (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748050#action_12748050 ]
Robert Zeigler commented on TAP5-815:
-------------------------------------
Ulrich, "Just allow access to Assets really required by pages or components" is easier said than done. The assets required by a page are not known until the first time a page is requested and the correspond page model is built. Which means that it's difficult, at best, for an IOC module to access this information at service instantiation time; it will be instantiated when the first request comes in, /before/ the corresponding page is even loaded (due to dispatcher ordering), and that's on the first request, for a single page, before any other pages are loaded. Any sort of asset authorization service that wanted to auto-enable required assets would need to have some sort of "addVisibleResource" method that is called whenever an asset is encountered/created during render. I would advocate instead a whitelist approach where allowed files/file patterns are contributed via ioc contributions. This would simplify things significantly.
As for assets used only by components, pages, and mixins, that's also a bit tricky, since it's possible for someone to write an alternative asset source that's used, eg, for file downloads (ie, not necessarily directly referenced by a page/component/mixin).
Incidentally, a long while ago, I implemented and made available for public use an "AssetProtectionDispatcher" that is configured essentially via chain of command as specified by Thiago above, with slight variation (a bit more flexible; individual contributions specify whether they explicitly allow or deny access). The module further provides two "AssetPathAuthorizer" implementations: one for explicit whitelisting by resource name, and the other for whitelisting by url pattern, with the whitelist being the last in the chain of command. The module contributes a default set of values to the whitelist (everything used by tapestry's core components), but you'll need to add explicit access to other resources (eg: contributing a .*\.jpg to the RegexAuthorizer).
Maven repo:
http://maven.saiwai-solutions.com
groupid: com.saiwaisolutions
artifactid: AssetProtectionDispatcher
version: 1.0.0
Alternatively, an older version is available on Tassel:
http://saiwai-solutions.com/Tassel/app?service=external/ViewComponent&sp=SAssetProtectionDispatcher
Version 1.0.0 also adds some default configurations to handle chenillekit-based assets.
Cheers!
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-815) Asset dispatcher allows any file
inside the webapp visible and downloadable
Posted by "Ulrich Stärk (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799781#action_12799781 ]
Ulrich Stärk commented on TAP5-815:
-----------------------------------
To 1): You are right. That stupid m2eclipse was using a snapshot from december instead of updating it to the most recent and I had workspace resolution turned off.
To 2): But most will.
To 3): Acknowledged. That's a good thing.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
> Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.