Return-Path: Delivered-To: apmail-jakarta-tapestry-dev-archive@www.apache.org Received: (qmail 18568 invoked from network); 9 Mar 2005 10:21:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 9 Mar 2005 10:21:39 -0000 Received: (qmail 11324 invoked by uid 500); 9 Mar 2005 10:21:37 -0000 Delivered-To: apmail-jakarta-tapestry-dev-archive@jakarta.apache.org Received: (qmail 11299 invoked by uid 500); 9 Mar 2005 10:21:37 -0000 Mailing-List: contact tapestry-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tapestry development" Reply-To: "Tapestry development" Delivered-To: mailing list tapestry-dev@jakarta.apache.org Received: (qmail 11284 invoked by uid 99); 9 Mar 2005 10:21:37 -0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from Unknown (HELO ehatchersolutions.com) (69.55.225.129) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 09 Mar 2005 02:21:35 -0800 Received: by ehatchersolutions.com (Postfix, from userid 504) id BBFB513E200A; Wed, 9 Mar 2005 05:21:32 -0500 (EST) Received: from [192.168.1.100] (va-chrvlle-cad1-bdgrp1-4b-b-169.chvlva.adelphia.net [68.169.41.169]) by ehatchersolutions.com (Postfix) with ESMTP id C53BB13E2007 for ; Wed, 9 Mar 2005 05:21:09 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v619.2) In-Reply-To: <2145954676.1110358732626.JavaMail.jira@ajax.apache.org> References: <2145954676.1110358732626.JavaMail.jira@ajax.apache.org> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <9e9aac1c7e783676505e45462e40edff@ehatchersolutions.com> Content-Transfer-Encoding: 7bit From: Erik Hatcher Subject: Re: [jira] Commented: (TAPESTRY-278) Tapestry 3.0.2 asset service has security flaw Date: Wed, 9 Mar 2005 05:21:07 -0500 To: "Tapestry development" X-Mailer: Apple Mail (2.619.2) X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on javelina X-Spam-Status: No, score=-1.3 required=5.0 tests=AWL,BAYES_00, RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL autolearn=no version=3.0.1 X-Spam-Level: X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N I'm bringing this issue to the e-mail list. Many of us already knew this existed and it has been discussed here before but I've always used other techniques to block this hole. I agree its serious and needs to be corrected. What do folks suggest as the proper fix? Preventing ".." would be a quick and dirty way to stop path snooping, but also blocking all but a set of extensions would be needed. There are some workarounds: * use the asset externalization feature so that asset serving is from the container or web server rather than the asset service directly * use a servlet filter to block everything but .jpg/.gif/.png. Interestingly, my clean URL servlet filter on lucenebook.com thwarts the security hole. Howard - what do you see has a fix for this? This warrants a 3.0.3 release IMO. Erik On Mar 9, 2005, at 3:58 AM, Danny Angus (JIRA) wrote: > [ > http://issues.apache.org/jira/browse/TAPESTRY-278? > page=comments#action_60487 ] > > Danny Angus commented on TAPESTRY-278: > -------------------------------------- > > This is a very significant issue which needs addressed as soon as > possible. > >> Tapestry 3.0.2 asset service has security flaw >> ---------------------------------------------- >> >> Key: TAPESTRY-278 >> URL: http://issues.apache.org/jira/browse/TAPESTRY-278 >> Project: Tapestry >> Type: Bug >> Components: Framework >> Versions: 3.0.2 >> Environment: Tomcat 5, JDK 1.4 >> Reporter: Nathan Kopp > >> >> The asset service can be used to view files that should not be >> visible. This could expose important resources, including database >> passwords and connection information. >> The asset service appears to expose any file relative to the >> classpath, and you can even use the ".." operator to go backwards, >> down into WEB-INF in general. >> Here are some examples. They were tested on a demo application which >> is often available on the web, but they've been "cleaned," so they >> don't point to a real server anymore: >> * View the web.xml file: >> http://www.someserver.com/tapestry-app/app? >> service=asset&sp=S%2F..%2Fweb.xml >> * View the tapestry.application file: >> http://www.someserver.com/tapestry-app/app? >> service=asset&sp=S%2F..%2Ftapestry.application >> * View a raw JSP file: >> http://www.someserver.com/tapestry-app/app? >> service=asset&sp=S%2F..%2F..%2F404.jsp >> * Download a few class files that are part of the application: >> http://www.someserver.com/tapestry-app/app? >> service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FMessageFilter.class >> http://www.someserver.com/tapestry-app/app? >> service=asset&sp=S%2Forg%2Fappfuse%2Fweb%2FBaseEngine.class > > -- > This message is automatically generated by JIRA. > - > If you think it was sent incorrectly contact one of the administrators: > http://issues.apache.org/jira/secure/Administrators.jspa > - > If you want more information on JIRA, or have a bug to report see: > http://www.atlassian.com/software/jira > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org > For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: tapestry-dev-unsubscribe@jakarta.apache.org For additional commands, e-mail: tapestry-dev-help@jakarta.apache.org