[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12748057#action_12748057 ]
Ulrich Stärk commented on TAP5-815: ----------------------------------- I had some singleton service holding a collection of allowed assets in mind. This would be injected into AssetSource and queried whether access should be allowed. Allowde Assets get added from AssetObjectProvider, AssetInjectionProvider, IncludeJavaScriptLibraryWorker, IncludeStylesheetWorker, ContextBindingFactory and AssetBindingFactory. If people choose to override the default AssetSource they have to live with being responsible for taking care of security. We could btw. also do the checks in the corresponding AssetFactories. Uli > Asset dispatcher allows any file inside the webapp visible and downloadable > --------------------------------------------------------------------------- > > Key: TAP5-815 > URL: https://issues.apache.org/jira/browse/TAP5-815 > Project: Tapestry 5 > Issue Type: Bug > Affects Versions: 5.1.0.5 > Reporter: Thiago H. de Paula Figueiredo > Priority: Blocker > > Take any asset and you have an URL like > domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request > domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files > inside the webapp root is shown. It gives you the hint at downloading any > file you want, including anyting inside WEB-INF and assets that should be > protected by ResourceDigestGenerator. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.