tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David White <dw11...@onemail.at>
Subject Re: [jira] Resolved: (TAPESTRY-278) Tapestry 3.0.2 asset service has security flaw
Date Sun, 20 Mar 2005 19:41:22 GMT
On Sun, 2005-03-20 at 13:43 -0500, Nathan Kopp wrote:
> Robert Zeigler <rdzeigle@u.arizona.edu> wrote...
> >
> > Meaning no offense, but, this idea sounds like hell to me. Do I, or do
> > you, really want to waste time editing a config file somewhere because I
> > added three new images? Or 1000? Or 2000? I maintain an app right now
> > which contains over 3000 images so the numbers aren't far-fetched.
> 
> First, thanks for Howard for coming up with a creative solution quickly,
> even if it's not completely satisfactory for everyone.
> 
> Two opinions/thoughts:
> 1) Personally, I think that, unless otherwise configured, the asset service
> should follow the standard web application protocol and (by default) hide
> everything in the WEB-INF folder.  This would mean not using a classloader
> for loading assets (as suggested by David White).  Of course, this would
> break backwards compatibility.  I think you could whitelist certain folders
> within WEB-INF to allow them to be visible, but I think the developer should
> be forced to intentionally do this, since it is nonstandard and potentiall
> unsafe.  At least that's how I see it.
> 

I think anything else is asking for serious trouble. Imagine if someone
were to do a firewall/router configuration interface in Tapestry (this
is pretty close to the sort of thing my project is working on, but
possibly even *more* sensitive).

> 2) Aren't all assets referenced in some way by components, before the user
> requests them?  

Thanks for mentioning this. I saw this auditing the code and am pursuing
this possibility to solve the problem in a reasonable way. A diff to the
3-0-branch as of 2005-03-16 is on its way.

I'll be able to test this tomorrow (CET), hopefully a patch against this
version will be forthcoming on this list.

David WHITE


---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message