tapestry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ulrich Stärk (JIRA) <j...@apache.org>
Subject [jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
Date Wed, 13 Jan 2010 09:32:55 GMT

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12799666#action_12799666
] 

Ulrich Stärk commented on TAP5-815:
-----------------------------------

It seems we still don't got it right 100%. In order for common context assets like images,
css and js to be available, the user has to set SymbolConstants.CONTEXT_ASSETS_AVAILABLE to
true OR contribute to the regex authorizer. Since everyone will want common assets to be available
and set it to true (because it's the easiest thing to do), this is useless and just represents
an additional burden to the user.

> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
>                 Key: TAP5-815
>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions: 5.1.0.5
>            Reporter: Thiago H. de Paula Figueiredo
>            Assignee: Robert Zeigler
>            Priority: Blocker
>             Fix For: 5.2.0, 5.1.0.6, 5.1.0.7, 5.0.19
>
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css.
If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside
the webapp root is shown. It gives you the hint at downloading any file you want, including
anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message