I proposed a (maybe not-so-elegant) regex for that "dot-problem" in the other thread: http://tapestry-developers.221625.n2.nabble.com/Rationale-behind-the-pathPattern-regex-in-the-RegexAuthorizer-contribution-td4419177.html#a4419177
what's wrong with such a solution? Am 04.05.2010 um 20:26 schrieb Robert Zeigler: > > On May 4, 2010, at 5/412:34 PM , Howard Lewis Ship wrote: > >> On Tue, May 4, 2010 at 10:04 AM, Robert Zeigler <robe...@scazdl.org> wrote: >>> AssetProtection for 5.2 has been resolved. The dispatcher introduced in 5.1 >>> has been stripped out in favor of a less obtrusive system. >>> >> >> It's not quite complete; I haven't come up with a sure-fire way to >> prevent malicious users from retrieving directory listings. I may >> simply add a check that the classpath asset to retrieve includes a '.' >> in the name somewhere. >> > > Seems like a sucky check that could easily be circumvented. Eg: > > foo/./bar will have a dot, and give you a directory listing. The browser is > likely to clean up this request, but that doesn't prevent someone from using > wget or curl to fetch the directory listing. > > Robert > >>> Robert >>> >>> On May 4, 2010, at 5/411:53 AM , Christian Riedel wrote: >>> >>>> Have you already decided on a solution for the asset protection issue? I >>>> think it was also in progress for 5.2 as well, wasn't it? >>>> Anyway, it's time for a release! >>>> I tested 5.2 on one of my apps and the upgrade was just the switch of the >>>> version number (as promised) :) >>>> >>>> >>>> Am 04.05.2010 um 10:23 schrieb Robin Komiwes: >>>> >>>>> Would be great for external contributions too. >>>>> >>>>> On Tue, May 4, 2010 at 9:21 AM, Christian Edward Gruber < >>>>> christianedwardgru...@gmail.com> wrote: >>>>> >>>>>> +1. We're using a trunk build from 4/26 and we're having a nice time of >>>>>> it... but having a build known to be well-tested and accepted would be >>>>>> nice. >>>>>> >>>>>> Christian. >>>>>> >>>>>> >>>>>> On May 4, 2010, at 3:12 AM, Massimo Lusetti wrote: >>>>>> >>>>>> On Tue, May 4, 2010 at 8:39 AM, Igor Drobiazko >>>>>> <igor.drobia...@gmail.com> >>>>>>> >>>>>>> wrote: >>>>>>> >>>>>>> Tapestry 5.1.0.5 has been released one year ago and think we need a new >>>>>>>> >>>>>>>> release. We've fixed around 160 issues, we have a lot of improvements >>>>>>>> and >>>>>>>> bug fixes. >>>>>>>> >>>>>>>> There are so much new features I can't live without. I would love to >>>>>>>> upgrade my apps. What do you think about a 5.2.0 release? >>>>>>>> >>>>>>>> >>>>>>> I've been using 5.2 from day one and it has proven to be reliable, as >>>>>>> was with 5.1 and 5.0 so I guess it would be really nice to have a >>>>>>> 5.2.x release. >>>>>>> >>>>>>> Cheers >>>>>>> -- >>>>>>> Massimo >>>>>>> http://meridio.blogspot.com >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org >>>>>>> For additional commands, e-mail: dev-h...@tapestry.apache.org >>>>>>> >>>>>>> >>>>>> >>>>>> --------------------------------------------------------------------- >>>>>> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org >>>>>> For additional commands, e-mail: dev-h...@tapestry.apache.org >>>>>> >>>>>> >>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org >>>> For additional commands, e-mail: dev-h...@tapestry.apache.org >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org >>> For additional commands, e-mail: dev-h...@tapestry.apache.org >>> >>> >> >> >> >> -- >> Howard M. Lewis Ship >> >> Creator of Apache Tapestry >> >> The source for Tapestry training, mentoring and support. Contact me to >> learn how I can get you up and productive in Tapestry fast! >> >> (971) 678-5210 >> http://howardlewisship.com >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org >> For additional commands, e-mail: dev-h...@tapestry.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org > For additional commands, e-mail: dev-h...@tapestry.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org For additional commands, e-mail: dev-h...@tapestry.apache.org
