tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Lewis Ship <hls...@gmail.com>
Subject Re: Asset security flaw
Date Sun, 13 Mar 2005 16:05:53 GMT
It seemed like a good default, one that you could assume was in place.
It would be easy to make it configurable, of course.  Is there another
digest algorithm that you think would be better?


On Sat, 12 Mar 2005 15:30:26 -0800, Paul Ferraro <pmf8@columbia.edu> wrote:
> Is there a reason why you chose to hard code the MessageDigest algorithm
> to MD5 rather than let it be configurable?
> 
> Paul
> 
> Howard Lewis Ship wrote:
> 
> >I've fixed the asset security flaw in 3.1.  Asset URLs created by the
> >asset service now include the path AND an MD5 Digest for the file.
> >The digest is the necessary credential for the file ... no digest, no
> >file. Since you need the content of the file to create the digest ...
> >I think this little hole is plugged.
> >
> >There's no reason why the same approach won't work for 3.0.3.
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
> 
> 


-- 
Howard M. Lewis Ship
Independent J2EE / Open-Source Java Consultant
Creator, Jakarta Tapestry
Creator, Jakarta HiveMind

Professional Tapestry training, mentoring, support
and project work.  http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message