tapestry-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lenny Primak (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (TAP5-1779) Tapestry allows directory listing of assets via client browser
Date Sat, 25 Feb 2012 01:05:48 GMT

     [ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Lenny Primak updated TAP5-1779:
-------------------------------

    Description: 
You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/
This should be disallowed.

Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html

I have a fix for this in the flowlogix tapestry library: 
http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70

--------------------------- fix for the code ----------------
    @Contribute(RequestHandler.class)
    public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration,
                    @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion)
    {
        configuration.add("DisableDirListing", new RequestFilter() {
            @Override
            public boolean service(Request request, Response response, RequestHandler handler)
throws IOException
            {
                final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion
+ "/" + 
                        RequestConstants.CONTEXT_FOLDER;
                if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/"))
                {
                    return false;
                }
                else
                {
                    return handler.service(request, response);
                }
            }
        }, "before:AssetDispatcher");
    }      


  was:
You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/
This should be disallowed.

Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html

I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70

--------------------------- fix for the code ----------------
    @Contribute(RequestHandler.class)
    public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration,
                    @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion)
    {
        configuration.add("DisableDirListing", new RequestFilter() {
            @Override
            public boolean service(Request request, Response response, RequestHandler handler)
throws IOException
            {
                final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion
+ "/" + 
                        RequestConstants.CONTEXT_FOLDER;
                if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/"))
                {
                    return false;
                }
                else
                {
                    return handler.service(request, response);
                }
            }
        }, "before:AssetDispatcher");
    }      


    
> Tapestry allows directory listing of assets via client browser
> --------------------------------------------------------------
>
>                 Key: TAP5-1779
>                 URL: https://issues.apache.org/jira/browse/TAP5-1779
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.3.1, 5.3, 5.4
>            Reporter: Lenny Primak
>
> You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library: 
> http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --------------------------- fix for the code ----------------
>     @Contribute(RequestHandler.class)
>     public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration,
>                     @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion)
>     {
>         configuration.add("DisableDirListing", new RequestFilter() {
>             @Override
>             public boolean service(Request request, Response response, RequestHandler
handler) throws IOException
>             {
>                 final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion
+ "/" + 
>                         RequestConstants.CONTEXT_FOLDER;
>                 if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/"))
>                 {
>                     return false;
>                 }
>                 else
>                 {
>                     return handler.service(request, response);
>                 }
>             }
>         }, "before:AssetDispatcher");
>     }      

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message