[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504856#comment-13504856 ] Lenny Primak commented on TAP5-1779: Updated the code to fix the problem with directory listings. The latest code is always available at: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > /** > * See https://issues.apache.org/jira/browse/TAP5-1779"; > target="_blank">TAP5-1779 > */ > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion, > final Context ctxt) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = assetPathPrefix + > applicationVersion + "/" > + RequestConstants.CONTEXT_FOLDER; > if (request.getPath().startsWith(assetFolder)) > { > if(request.getPath().endsWith("/") || > > ctxt.getRealFile(pathProcessor.removeAssetPathPart( > request.getPath())).isDirectory()) > { > return false; > } > } > return handler.service(request, response); > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216199#comment-13216199 ] Lenny Primak commented on TAP5-1779: You are right, Paul, I just re-checked my web app and it does list the directory without the trailing slash. I swear it didn't do that before. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215953#comment-13215953 ] Lenny Primak commented on TAP5-1779: I guess it depends on the environment. In my case (Glassfish) it does not return the directory listing > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215948#comment-13215948 ] Paul Stanton commented on TAP5-1779: tapestry does perform the directory listing even without the trailing slash (t5.3.2): http://host/project/assets/174/ctx/js/components ^-- returned a directory listing. Also, if your container allows it, a directory listing can be returned by entering a path to a directory (ie without any context asset path), where one of the directory names includes a dot (since it makes it through the 'StaticFilesFilter'. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215662#comment-13215662 ] Lenny Primak commented on TAP5-1779: Tapestry will not perform a directory listing if the trailing slash is left off. Thus the patch does solve the problem. With this patch the directory listing cannot be performed under any circumstances. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215494#comment-13215494 ] Paul Stanton commented on TAP5-1779: the best solution (i can see) is if org.apache.tapestry5.internal.services.ContextResource.toURL() returns null when the resource points to a directory there should be no scenario where a directory listing is a valid asset. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215462#comment-13215462 ] Paul Stanton commented on TAP5-1779: Lenny, please note that your patch does not solve the problem. the 'user' can leave the trailing slash off a dir request and still get the dir listing. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215422#comment-13215422 ] Paul Stanton commented on TAP5-1779: this should be promoted to major since it potentially discloses private information about the application. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182961#comment-13182961 ] Lenny Primak commented on TAP5-1779: Note: The path to the code has changed-- I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/flowlogix-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak >Priority: Minor > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira