tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Taylor <DavidVTay...@cox.net>
Subject Re: [jira] Resolved: (TAPESTRY-281) asset service has security flaw
Date Tue, 15 Mar 2005 23:06:38 GMT
Great, I was planning on backporting the changes this week. I was also 
considering adding the feature of limiting the hash to the first few KB 
of the file to avoid the performance hit when dealing with large assets. 
One of the applications I have in the works currently serves up 
thousands of high-res JPEG and large PDF files using dynamically created 
assets.

I do have one question -- are your updates a straight port of the 
original MD5-only version or did you allow for other hash algorithms? 
While MD5 is probably more than adequate for this use, security minded 
businesses are afraid of MD5 because it has demonstrated collisions and 
is considered "broken". For these clients I am planning on using SHA-256 
since it is not yet considered to be an "evil" algorithm. If not, I 
would be happy to help add support for other algorithms.

Thanks for your timely contribution.

David

matthew c. mead wrote:

> I have "backported" this to a cvs checkout of 3.0.2.  It isn't 
> perfect, but it meets my needs and is probably a good start.
>
> Is anyone interested in it?
>
> Is there a maintainer for 3.0.2/3.0.3?
>
>
>
> -matt
>
> Howard M. Lewis Ship (JIRA) wrote:
>
>>     [ http://issues.apache.org/jira/browse/TAPESTRY-281?page=history ]
>>     Howard M. Lewis Ship resolved TAPESTRY-281:
>> -------------------------------------------
>>
>>    Resolution: Fixed
>>
>>  
>>
>>> asset service has security flaw
>>> -------------------------------
>>>
>>>         Key: TAPESTRY-281
>>>         URL: http://issues.apache.org/jira/browse/TAPESTRY-281
>>>     Project: Tapestry
>>>        Type: Bug
>>>  Components: Framework
>>>    Versions: 3.1
>>> Environment: Tomcat 5, JDK 1.4
>>>    Reporter: Howard M. Lewis Ship
>>>    Assignee: Howard M. Lewis Ship
>>>     Fix For: 3.1
>>>   
>>
>>
>>  
>>
>>> The asset service can be used to view files that should not be 
>>> visible.  This could expose important resources, including database 
>>> passwords and connection information.
>>> The asset service appears to expose any file relative to the 
>>> classpath, and you can even use the ".." operator to go backwards, 
>>> down into WEB-INF in general.
>>> Here are some examples.  They were tested on a demo application 
>>> which is often available on the web, but they've been "cleaned," so 
>>> they don't point to a real server anymore:
>>> * View the web.xml file:
>>> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Fweb.xml

>>>
>>> * View the tapestry.application file:
>>> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2Ftapestry.application

>>>
>>> * View a raw JSP file:
>>> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2F..%2F..%2F404.jsp

>>>
>>> * Download a few class files that are part of the application:
>>> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FMessageFilter.class

>>>
>>> http://www.someserver.com/tapestry-app/app?service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FBaseEngine.class

>>>
>>>   
>>
>>
>>  
>>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message