tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Lewis Ship <hls...@gmail.com>
Subject Asset security flaw
Date Sat, 12 Mar 2005 21:21:25 GMT
I've fixed the asset security flaw in 3.1.  Asset URLs created by the
asset service now include the path AND an MD5 Digest for the file. 
The digest is the necessary credential for the file ... no digest, no
file. Since you need the content of the file to create the digest ...
I think this little hole is plugged.

There's no reason why the same approach won't work for 3.0.3.

-- 
Howard M. Lewis Ship
Independent J2EE / Open-Source Java Consultant
Creator, Jakarta Tapestry
Creator, Jakarta HiveMind

Professional Tapestry training, mentoring, support
and project work.  http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message