tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Kotchnev (JIRA)" <j...@apache.org>
Subject [jira] Commented: (TAP5-815) Asset dispatcher allows any file inside the webapp visible and downloadable
Date Wed, 04 Nov 2009 21:55:32 GMT

    [ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773653#action_12773653
] 

Alex Kotchnev commented on TAP5-815:
------------------------------------

I'm totally blown away by the lack of interest this issue has received. In my opinion, this
is the type of issue that FORCES a point release, it is that severe and important. There are
several existing solutions that can easily be plugged into the framework, yet no action. 

To my dismay, this has been open since Aug, and the issue has been known for 5.0 for a lot
longer than that. 

> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
>                 Key: TAP5-815
>                 URL: https://issues.apache.org/jira/browse/TAP5-815
>             Project: Tapestry 5
>          Issue Type: Bug
>    Affects Versions: 5.1.0.5
>            Reporter: Thiago H. de Paula Figueiredo
>            Priority: Blocker
>
> Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css.
If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside
the webapp root is shown. It gives you the hint at downloading any file you want, including
anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message