[ https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774227#action_12774227 ]
Christian Köberl commented on TAP5-815: --------------------------------------- I just "hacked" our application and found even more concerning thing - if you add a "/" to your URL you can even look at assets extensions contributed to ResourceDigestGenerator (default: tml, class). We use this mechanism to hide assets like xml, properties, ... This requires a digest: http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml This works: http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml/ http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.class/ Could any committer please add this to AssetDispatcher line 65 (in 5.1.0.5): if(path.endsWith("/") || path.indexOf('.') < 0) return false; And then create 5.0.19 and 5.1.0.6. I know this will not fix everything but at least not all Tapestry apps out there are open as a book. Thanks, Chris > Asset dispatcher allows any file inside the webapp visible and downloadable > --------------------------------------------------------------------------- > > Key: TAP5-815 > URL: https://issues.apache.org/jira/browse/TAP5-815 > Project: Tapestry 5 > Issue Type: Bug > Affects Versions: 5.1.0.5 > Reporter: Thiago H. de Paula Figueiredo > Assignee: Robert Zeigler > Priority: Blocker > > Take any asset and you have an URL like > domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request > domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files > inside the webapp root is shown. It gives you the hint at downloading any > file you want, including anyting inside WEB-INF and assets that should be > protected by ResourceDigestGenerator. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.