svn commit: r687094 - in /tapestry/tapestry5/trunk/tapestry-core/src: main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java test/java/org/apache/tapestry5/internal/services/StaticFilesFilterTest.java

Tue, 19 Aug 2008 09:59:41 -0700 

Author: hlship
Date: Tue Aug 19 09:58:48 2008
New Revision: 687094

URL: http://svn.apache.org/viewvc?rev=687094&view=rev
Log:
TAPESTRY-2606: File system warning for certain component event request, on 
windows only

Modified:
    
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java
    
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/StaticFilesFilterTest.java

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java?rev=687094&r1=687093&r2=687094&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/StaticFilesFilter.java
 Tue Aug 19 09:58:48 2008
@@ -1,4 +1,4 @@
-// Copyright 2006, 2007 The Apache Software Foundation
+// Copyright 2006, 2007, 2008 The Apache Software Foundation
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -45,34 +45,40 @@
 
         if (path.equals("/favicon.ico")) return false;
 
-        // We are making the questionable assumption that all files to be 
vended out will contain
-        // an extension (with a dot separator). Without this, the filter tends 
to match against
-        // folder names when we don't want it to (especially for the root 
context path).
+        // TAPESTRY-2606: A colon in the path is frequently the case for 
Tapestry event URLs,
+        // but gives Windows fits.
 
-        int dotx = path.lastIndexOf(".");
-
-        if (dotx > 0)
+        if (!path.contains(":"))
         {
-            URL url = context.getResource(path);
+            // We are making the questionable assumption that all files to be 
vended out will contain
+            // an extension (with a dot separator). Without this, the filter 
tends to match against
+            // folder names when we don't want it to (especially for the root 
context path).
 
-            if (url != null)
-            {
-                String suffix = path.substring(dotx + 1);
+            int dotx = path.lastIndexOf(".");
 
-                // We never allow access to Tapestry component templates, even 
if they exist.
-                // It is considered a security risk, like seeing a raw JSP. 
Earlier alpha versions
-                // of Tapestry required that the templates be stored in 
WEB-INF.
+            if (dotx > 0)
+            {
+                URL url = context.getResource(path);
 
-                if 
(suffix.equalsIgnoreCase(InternalConstants.TEMPLATE_EXTENSION))
+                if (url != null)
                 {
+                    String suffix = path.substring(dotx + 1);
 
-                    response.sendError(HttpServletResponse.SC_FORBIDDEN, 
ServicesMessages
-                            .resourcesAccessForbidden(path));
+                    // We never allow access to Tapestry component templates, 
even if they exist.
+                    // It is considered a security risk, like seeing a raw 
JSP. Earlier alpha versions
+                    // of Tapestry required that the templates be stored in 
WEB-INF.
 
-                    return true;
-                }
+                    if 
(suffix.equalsIgnoreCase(InternalConstants.TEMPLATE_EXTENSION))
+                    {
 
-                return false;
+                        response.sendError(HttpServletResponse.SC_FORBIDDEN, 
ServicesMessages
+                                .resourcesAccessForbidden(path));
+
+                        return true;
+                    }
+
+                    return false;
+                }
             }
         }
 

Modified: 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/StaticFilesFilterTest.java
URL: 
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/StaticFilesFilterTest.java?rev=687094&r1=687093&r2=687094&view=diff
==============================================================================
--- 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/StaticFilesFilterTest.java
 (original)
+++ 
tapestry/tapestry5/trunk/tapestry-core/src/test/java/org/apache/tapestry5/internal/services/StaticFilesFilterTest.java
 Tue Aug 19 09:58:48 2008
@@ -1,4 +1,4 @@
-// Copyright 2007 The Apache Software Foundation
+// Copyright 2007, 2008 The Apache Software Foundation
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -156,6 +156,30 @@
         verify();
     }
 
+    /**
+     * TAPESTRY-2606
+     */
+    @Test
+    public void colon_in_path_prevents_static_file_check() throws Exception
+    {
+        String path = "/start.update:anevent";
+
+        Request request = newRequest(path);
+        Response response = mockResponse();
+        RequestHandler handler = mockRequestHandler();
+        Context context = mockContext();
+
+        train_service(handler, request, response, true);
+
+        replay();
+
+        RequestFilter filter = new StaticFilesFilter(context);
+
+        assertTrue(filter.service(request, response, handler));
+
+        verify();
+    }
+
     protected final void train_getResource(Context context, String path, URL 
url)
     {
         expect(context.getResource(path)).andReturn(url);

Reply via email to