[
https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12774227#action_12774227
]
Christian Köberl commented on TAP5-815:
---------------------------------------
I just "hacked" our application and found even more concerning thing - if you
add a "/" to your URL you can even look at assets extensions contributed to
ResourceDigestGenerator (default: tml, class).
We use this mechanism to hide assets like xml, properties, ...
This requires a digest:
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml
This works:
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.tml/
http://tapestry-test.appspot.com/assets/at/priv/koeberl/tapestrymail/pages/BadTemplate.class/
Could any committer please add this to AssetDispatcher line 65 (in 5.1.0.5):
if(path.endsWith("/") || path.indexOf('.') < 0)
return false;
And then create 5.0.19 and 5.1.0.6.
I know this will not fix everything but at least not all Tapestry apps out
there are open as a book.
Thanks,
Chris
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Assignee: Robert Zeigler
> Priority: Blocker
>
> Take any asset and you have an URL like
> domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request
> domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files
> inside the webapp root is shown. It gives you the hint at downloading any
> file you want, including anyting inside WEB-INF and assets that should be
> protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
