[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13504856#comment-13504856
]
Lenny Primak commented on TAP5-1779:
Updated the code to fix the problem with directory listings.
The latest code is always available at:
http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> /**
> * See https://issues.apache.org/jira/browse/TAP5-1779";
> target="_blank">TAP5-1779
> */
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion,
> final Context ctxt)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = assetPathPrefix +
> applicationVersion + "/"
> + RequestConstants.CONTEXT_FOLDER;
> if (request.getPath().startsWith(assetFolder))
> {
> if(request.getPath().endsWith("/") ||
>
> ctxt.getRealFile(pathProcessor.removeAssetPathPart(
> request.getPath())).isDirectory())
> {
> return false;
> }
> }
> return handler.service(request, response);
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216199#comment-13216199
]
Lenny Primak commented on TAP5-1779:
You are right, Paul, I just re-checked my web app and it does list the
directory
without the trailing slash. I swear it didn't do that before.
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215953#comment-13215953
]
Lenny Primak commented on TAP5-1779:
I guess it depends on the environment. In my case (Glassfish) it does not
return the directory listing
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215948#comment-13215948
]
Paul Stanton commented on TAP5-1779:
tapestry does perform the directory listing even without the trailing slash
(t5.3.2):
http://host/project/assets/174/ctx/js/components
^-- returned a directory listing.
Also, if your container allows it, a directory listing can be returned by
entering a path to a directory (ie without any context asset path), where one
of the directory names includes a dot (since it makes it through the
'StaticFilesFilter'.
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215662#comment-13215662
]
Lenny Primak commented on TAP5-1779:
Tapestry will not perform a directory listing if the trailing slash is left
off. Thus the patch does solve the problem.
With this patch the directory listing cannot be performed under any
circumstances.
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215494#comment-13215494
]
Paul Stanton commented on TAP5-1779:
the best solution (i can see) is if
org.apache.tapestry5.internal.services.ContextResource.toURL() returns null
when the resource points to a directory
there should be no scenario where a directory listing is a valid asset.
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215462#comment-13215462
]
Paul Stanton commented on TAP5-1779:
Lenny, please note that your patch does not solve the problem. the 'user' can
leave the trailing slash off a dir request and still get the dir listing.
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13215422#comment-13215422
]
Paul Stanton commented on TAP5-1779:
this should be promoted to major since it potentially discloses private
information about the application.
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[
https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13182961#comment-13182961
]
Lenny Primak commented on TAP5-1779:
Note: The path to the code has changed--
I have a fix for this in the flowlogix tapestry library:
http://code.google.com/p/flowlogix/source/browse/flowlogix-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> Tapestry allows directory listing of assets via client browser
> --
>
> Key: TAP5-1779
> URL: https://issues.apache.org/jira/browse/TAP5-1779
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
>Affects Versions: 5.3.1, 5.3, 5.4
>Reporter: Lenny Primak
>Priority: Minor
>
> You can access asset directory listing by going to Tapestry web site
> http://.../assets/{version}/ctx/
> This should be disallowed.
> Here is a Nabble discussion about this:
> http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html
> I have a fix for this in the flowlogix tapestry library:
> http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70
> --- fix for the code
> @Contribute(RequestHandler.class)
> public void disableAssetDirListing(OrderedConfiguration
> configuration,
> @Symbol(SymbolConstants.APPLICATION_VERSION) final String
> applicationVersion)
> {
> configuration.add("DisableDirListing", new RequestFilter() {
> @Override
> public boolean service(Request request, Response response,
> RequestHandler handler) throws IOException
> {
> final String assetFolder = RequestConstants.ASSET_PATH_PREFIX
> + applicationVersion + "/" +
> RequestConstants.CONTEXT_FOLDER;
> if(request.getPath().startsWith(assetFolder) &&
> request.getPath().endsWith("/"))
> {
> return false;
> }
> else
> {
> return handler.service(request, response);
> }
> }
> }, "before:AssetDispatcher");
> }
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
