[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12773640#action_12773640 ]
David Rees commented on TAP5-815: --------------------------------- This similarly 5.0.18 similarly as well - and the issue has been open for quite some time. Is 5.0 maintained at all for security related issues? What about 5.1? > Asset dispatcher allows any file inside the webapp visible and downloadable > --------------------------------------------------------------------------- > > Key: TAP5-815 > URL: https://issues.apache.org/jira/browse/TAP5-815 > Project: Tapestry 5 > Issue Type: Bug > Affects Versions: 5.1.0.5 > Reporter: Thiago H. de Paula Figueiredo > Priority: Blocker > > Take any asset and you have an URL like > domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request > domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files > inside the webapp root is shown. It gives you the hint at downloading any > file you want, including anyting inside WEB-INF and assets that should be > protected by ResourceDigestGenerator. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.