[jira] [Updated] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lenny Primak updated TAP5-1779: --- Description: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --- fix for the code /** * See https://issues.apache.org/jira/browse/TAP5-1779"; target="_blank">TAP5-1779 */ @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion, final Context ctxt) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = assetPathPrefix + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if (request.getPath().startsWith(assetFolder)) { if(request.getPath().endsWith("/") || ctxt.getRealFile(pathProcessor.removeAssetPathPart( request.getPath())).isDirectory()) { return false; } } return handler.service(request, response); } }, "before:AssetDispatcher"); } was: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --- fix for the code @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/")) { return false; } else { return handler.service(request, response); } } }, "before:AssetDispatcher"); } > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > /** > * See https://issues.apache.org/jira/browse/TAP5-1779"; > target="_blank">TAP5-1779 > */ > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion, > final Context ctxt) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throw
[jira] [Updated] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lenny Primak updated TAP5-1779: --- Description: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --- fix for the code @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/")) { return false; } else { return handler.service(request, response); } } }, "before:AssetDispatcher"); } was: You can access asset directory listing by going to Tapestry web site http://.../assets/{version}/ctx/ This should be disallowed. Here is a Nabble discussion about this: http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 --- fix for the code @Contribute(RequestHandler.class) public void disableAssetDirListing(OrderedConfiguration configuration, @Symbol(SymbolConstants.APPLICATION_VERSION) final String applicationVersion) { configuration.add("DisableDirListing", new RequestFilter() { @Override public boolean service(Request request, Response response, RequestHandler handler) throws IOException { final String assetFolder = RequestConstants.ASSET_PATH_PREFIX + applicationVersion + "/" + RequestConstants.CONTEXT_FOLDER; if(request.getPath().startsWith(assetFolder) && request.getPath().endsWith("/")) { return false; } else { return handler.service(request, response); } } }, "before:AssetDispatcher"); } > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { >
[jira] [Updated] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lenny Primak updated TAP5-1779: --- Comment: was deleted (was: Note: The path to the code has changed-- I have a fix for this in the flowlogix tapestry library: http://code.google.com/p/flowlogix/source/browse/flowlogix-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 ) > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/tapestry-services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TAP5-1779) Tapestry allows directory listing of assets via client browser
[ https://issues.apache.org/jira/browse/TAP5-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lenny Primak updated TAP5-1779: --- Priority: Major (was: Minor) Directory is still listed without the trailing slash. Updated priority to major. > Tapestry allows directory listing of assets via client browser > -- > > Key: TAP5-1779 > URL: https://issues.apache.org/jira/browse/TAP5-1779 > Project: Tapestry 5 > Issue Type: Bug > Components: tapestry-core >Affects Versions: 5.3.1, 5.3, 5.4 >Reporter: Lenny Primak > > You can access asset directory listing by going to Tapestry web site > http://.../assets/{version}/ctx/ > This should be disallowed. > Here is a Nabble discussion about this: > http://tapestry.1045711.n5.nabble.com/T5-3-do-we-still-need-AssetProtectionDispatcher-td5055048.html > I have a fix for this in the flowlogix tapestry library: > http://code.google.com/p/flowlogix/source/browse/services/src/main/java/com/flowlogix/web/services/SecurityModule.java#70 > --- fix for the code > @Contribute(RequestHandler.class) > public void disableAssetDirListing(OrderedConfiguration > configuration, > @Symbol(SymbolConstants.APPLICATION_VERSION) final String > applicationVersion) > { > configuration.add("DisableDirListing", new RequestFilter() { > @Override > public boolean service(Request request, Response response, > RequestHandler handler) throws IOException > { > final String assetFolder = RequestConstants.ASSET_PATH_PREFIX > + applicationVersion + "/" + > RequestConstants.CONTEXT_FOLDER; > if(request.getPath().startsWith(assetFolder) && > request.getPath().endsWith("/")) > { > return false; > } > else > { > return handler.service(request, response); > } > } > }, "before:AssetDispatcher"); > } -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira