[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215662#comment-13215662 ]
Lenny Primak commented on TAP5-1779: ------------------------------------ Tapestry will not perform a directory listing if the trailing slash is left off. Thus the patch does solve the problem. With this patch the directory listing cannot be performed under any circumstances. > Tapestry allows directory listing of assets via client browser > -------------------------------------------------------------- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core > Affects Versions: 5.3.1, 5.3, 5.4 > Reporter: Lenny Primak > Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --------------------------- fix for the code ---------------- > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration<RequestFilter> > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira