[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser

Fri, 24 Feb 2012 07:13:14 -0800 

    [ 
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215662#comment-13215662
 ] 

Lenny Primak commented on TAP5-1779:
------------------------------------

Tapestry will not perform a directory listing if the trailing slash is left 
off. Thus the patch does solve the problem. 
With this patch the directory listing cannot be performed under any 
circumstances. 
                
> Tapestry allows directory listing of assets via client browser
> --------------------------------------------------------------
>
>                 Key: TAP5-1779
>                 URL: https://issues.apache.org/jira/browse/TAP5-1779
>             Project: Tapestry 5
>          Issue Type: Bug
>          Components: tapestry-core
>    Affects Versions: 5.3.1, 5.3, 5.4
>            Reporter: Lenny Primak
>            Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site 
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this: 
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library: 
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --------------------------- fix for the code ----------------
>     @Contribute(RequestHandler.class)
>     public void disableAssetDirListing(OrderedConfiguration<RequestFilter> 
> configuration,
>                     @Symbol(SymbolConstants.APPLICATION_VERSION) final String 
> applicationVersion)
>     {
>         configuration.add("DisableDirListing", new RequestFilter() {
>             @Override
>             public boolean service(Request request, Response response, 
> RequestHandler handler) throws IOException
>             {
>                 final String assetFolder = RequestConstants.ASSET_PATH_PREFIX 
> + applicationVersion + "/" + 
>                         RequestConstants.CONTEXT_FOLDER;
>                 if(request.getPath().startsWith(assetFolder) && 
> request.getPath().endsWith("/"))
>                 {
>                     return false;
>                 }
>                 else
>                 {
>                     return handler.service(request, response);
>                 }
>             }
>         }, "before:AssetDispatcher");
>     }      

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to