tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Stanton (Commented) (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
Date Fri, 24 Feb 2012 21:47:48 GMT

    [ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215948#comment-13215948
] 

Paul Stanton commented on TAP5-1779:
------------------------------------

tapestry does perform the directory listing even without the trailing slash (t5.3.2):

http://host/project/assets/174/ctx/js/components

^-- returned a directory listing.

Also, if your container allows it, a directory listing can be returned by entering a path
to a directory (ie without any context asset path), where one of the directory names includes
a dot (since it makes it through the 'StaticFilesFilter'.
                
> Tapestry allows directory listing of assets via client browser
> --------------------------------------------------------------
>
>                 Key: TAP5-1779
>                 URL: https://issues.apache.org/jira/browse/TAP5-1779
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.3.1, 5.3, 5.4
>            Reporter: Lenny Primak
>            Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --------------------------- fix for the code ----------------
>     @Contribute(RequestHandler.class)
>     public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration,
>                     @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion)
>     {
>         configuration.add("DisableDirListing", new RequestFilter() {
>             @Override
>             public boolean service(Request request, Response response, RequestHandler
handler) throws IOException
>             {
>                 final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion
+ "/" + 
>                         RequestConstants.CONTEXT_FOLDER;
>                 if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/"))
>                 {
>                     return false;
>                 }
>                 else
>                 {
>                     return handler.service(request, response);
>                 }
>             }
>         }, "before:AssetDispatcher");
>     }      

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message