tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Lewis Ship <hls...@gmail.com>
Subject Re: Asset security flaw
Date Sun, 13 Mar 2005 17:16:50 GMT
Beware of premature optimizations.  It's a one-time cost to compute
the digest, the result is cached.

On Sun, 13 Mar 2005 17:26:06 +0100, ron <ron.piterman@gmx.net> wrote:
> I am not sure about that, but wouldn't it be a performance issue when
> serving many big files?
> What about performing md5 on the first, lets say, 2K of a file?
> 
> ציטוט Howard Lewis Ship:
> 
> >It seemed like a good default, one that you could assume was in place.
> >It would be easy to make it configurable, of course.  Is there another
> >digest algorithm that you think would be better?
> >
> >
> >On Sat, 12 Mar 2005 15:30:26 -0800, Paul Ferraro <pmf8@columbia.edu> wrote:
> >
> >
> >>Is there a reason why you chose to hard code the MessageDigest algorithm
> >>to MD5 rather than let it be configurable?
> >>
> >>Paul
> >>
> >>Howard Lewis Ship wrote:
> >>
> >>
> >>
> >>>I've fixed the asset security flaw in 3.1.  Asset URLs created by the
> >>>asset service now include the path AND an MD5 Digest for the file.
> >>>The digest is the necessary credential for the file ... no digest, no
> >>>file. Since you need the content of the file to create the digest ...
> >>>I think this little hole is plugged.
> >>>
> >>>There's no reason why the same approach won't work for 3.0.3.
> >>>
> >>>
> >>>
> >>>
> >>>
> >>---------------------------------------------------------------------
> >>To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
> >>For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
> >>
> >>
> >>
> >>
> >
> >
> >
> >
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org
> 
> 


-- 
Howard M. Lewis Ship
Independent J2EE / Open-Source Java Consultant
Creator, Jakarta Tapestry
Creator, Jakarta HiveMind

Professional Tapestry training, mentoring, support
and project work.  http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org


Mime
View raw message