tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Lewis Ship <hls...@gmail.com>
Subject Re: Next 5.1 release?
Date Fri, 09 Apr 2010 01:13:32 GMT
On Thu, Apr 8, 2010 at 5:11 PM, Thiago H. de Paula Figueiredo
<thiagohp@gmail.com> wrote:
> On Thu, 08 Apr 2010 19:54:03 -0300, Howard Lewis Ship <hlship@gmail.com>
> wrote:
>
>> In terms of a solution: simpler API, assume that most resources are
>> available unless explicitly told not to (i.e., .class and hibernate
>> properties files, etc.).
>
> What should be available by default? My opinion, anything in the context,
> except WEB-INF.
> What should not be available by default? My opinion, anything in the
> classpath.

And that's where I disagree; maybe any non .class file outside of a
controlled package should be protected?  If we remove the malicious
user's ability to "hunt' for files and protect the ones that may be
important (.class, etc.) then we're good.

>
> Anyway, I think we shouldn't prevent users to define the availability of not
> of a given URL/resource/whatever. There will always be scenarios where some
> files of a type or location should be available or other not. That's why I
> like the asset protection filter configured as a pipeline, each part of it
> receiving an URL (better yet, a Request instance) to analyze.
>
>> Key things: some kind of check to prevent directory listings,
>
> I think directory listings of virtual and classpath assets should be denied,
> but listings of context folders should be configurable (denied os default).
>
>> and
>> properly enforce the extra MD5 checksum for protected resources
>> (.class file, etc.).
>
> +1
>
> --
> Thiago H. de Paula Figueiredo
> Independent Java, Apache Tapestry 5 and Hibernate consultant, developer, and
> instructor
> Owner, software architect and developer, Ars Machina Tecnologia da
> Informação Ltda.
> http://www.arsmachina.com.br
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>



-- 
Howard M. Lewis Ship

Creator of Apache Tapestry

The source for Tapestry training, mentoring and support. Contact me to
learn how I can get you up and productive in Tapestry fast!

(971) 678-5210
http://howardlewisship.com

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org


Mime
View raw message