[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Lenny Primak updated TAP5-1779: ------------------------------- Description: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --------------------------- fix for the code ---------------- /** * See <a href="https://issues.apache.org/jira/browse/TAP5-1779" target="_blank">TAP5-1779</a> */ @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion, final Context ctxt) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = assetPathPrefix + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if (request.getPath().startsWith(assetFolder)) { if(request.getPath().endsWith("/") || ctxt.getRealFile(pathProcessor.removeAssetPathPart( request.getPath())).isDirectory()) { return false; } } return handler.service(request, response); } }, "before:AssetDispatcher"); } was: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --------------------------- fix for the code ---------------- @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration<RequestFilter> configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/")) { return false; } else { return handler.service(request, response); } } }, "before:AssetDispatcher"); } > Tapestry allows directory listing of assets via client browser > -------------------------------------------------------------- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core > Affects Versions: 5.3.1, 5.3, 5.4 > Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --------------------------- fix for the code ---------------- > /** > * See <a href="https://issues.apache.org/jira/browse/TAP5-1779" > target="_blank">TAP5-1779</a> > */ > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration<RequestFilter> > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion, > final Context ctxt) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = assetPathPrefix + > applicationVersion + "/" > + RequestConstants.CONTEXT_FOLDER; > if (request.getPath().startsWith(assetFolder)) > { > if(request.getPath().endsWith("/") || > > ctxt.getRealFile(pathProcessor.removeAssetPathPart( > request.getPath())).isDirectory()) > { > return false; > } > } > return handler.service(request, response); > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira