tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Danny Angus <Danny_An...@slc.co.uk>
Subject Re: Asset security flaw
Date Mon, 14 Mar 2005 09:12:37 GMT

This is great news, but could someone please apply this to 3.0 and release
it officially for those of us who have corporate masters to please.

d.





|---------+---------------------------->
|         |           Howard Lewis Ship|
|         |           <hlship@gmail.com|
|         |           >                |
|         |                            |
|         |           12/03/2005 09:21 |
|         |           PM               |
|         |           Please respond to|
|         |           "Tapestry        |
|         |           development"     |
|         |                            |
|---------+---------------------------->
  >-------------------------------------------------------------------------------------------------------------------------------|
  |                                                                                      
                                        |
  |       To:       Tapestry development <tapestry-dev@jakarta.apache.org>         
                                              |
  |       cc:                                                                            
                                        |
  |       Subject:  Asset security flaw                                                  
                                        |
  >-------------------------------------------------------------------------------------------------------------------------------|




I've fixed the asset security flaw in 3.1.  Asset URLs created by the
asset service now include the path AND an MD5 Digest for the file.
The digest is the necessary credential for the file ... no digest, no
file. Since you need the content of the file to create the digest ...
I think this little hole is plugged.

There's no reason why the same approach won't work for 3.0.3.

--
Howard M. Lewis Ship
Independent J2EE / Open-Source Java Consultant
Creator, Jakarta Tapestry
Creator, Jakarta HiveMind

Professional Tapestry training, mentoring, support
and project work.  http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org





***************************************************************************
The information in this e-mail is confidential and for use by the addressee(s) only. If you
are not the intended recipient (or responsible for delivery of the message to the intended
recipient) please notify us immediately on 0141 306 2050 and delete the message from your
computer. You may not copy or forward it or use or disclose its contents to any other person.
As Internet communications are capable of data corruption Student Loans Company Limited does
not accept any  responsibility for changes made to this message after it was sent. For this
reason it may be inappropriate to rely on advice or opinions contained in an e-mail without
obtaining written confirmation of it. Neither Student Loans Company Limited or the sender
accepts any liability or responsibility for viruses as it is your responsibility to scan attachments
(if any). Opinions and views expressed in this e-mail are those of the sender and may not
reflect the opinions and views of The Student Loans Company Limited.

This footnote also confirms that this email message has been swept for the presence of computer
viruses.

**************************************************************************

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message