[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lenny Primak updated TAP5-1779: ------------------------------- Description: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --------------------------- fix for the code ---------------- @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/")) { return false; } else { return handler.service(request, response); } } }, "before:AssetDispatcher"); } was: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --------------------------- fix for the code ---------------- @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/")) { return false; } else { return handler.service(request, response); } } }, "before:AssetDispatcher"); } > Tapestry allows directory listing of assets via client browser > -------------------------------------------------------------- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core > Affects Versions: 5.3.1, 5.3, 5.4 > Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --------------------------- fix for the code ---------------- > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration<RequestFilter> > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira