I've Voted too. Also thanks to "kartweel" for pointing this out. It
seems the is not ResourceDigestGenerator applied to asset resources
:S It's a nasty bug :(
On Sat, Aug 15, 2009 at 2:41 PM, Geoff
Callender wrote:
> Thanks, Thiago. I've voted for it. To everyone who is concerned about this,
> p
Thanks, Thiago. I've voted for it. To everyone who is concerned about
this, please vote too.
On 15/08/2009, at 10:22 PM, Thiago H. de Paula Figueiredo wrote:
Em Sat, 15 Aug 2009 00:37:45 -0300, Geoff Callender > escreveu:
Ouch, now I get it. WEB-INF and all its contents are in fact
visible
Em Sat, 15 Aug 2009 00:37:45 -0300, Geoff Callender
escreveu:
Ouch, now I get it. WEB-INF and all its contents are in fact visible,
directly below yourapp/assets/ctx//, and it's not hard
to find out the value of .
I couldn't find any JIRA issue about it, s
Thanks. In the meantime I found an old posting which basically
contains the same solution.
I'll add it immediately. However I think that should be adressed by
tapestry in a hotfix released,
as every web developer assumes that the files in WEB-INF are save.
On Sat, Aug 15, 2009 at 1:34 PM, martijn.
A follow up:
I forgot to add gif
private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
"gif", "js", "css", "ico"};
/*
* All the assets that are allowed to be downloaded using the assets
service (including files without extension and dirs)
*/
private static final Set asse
Markus Joschko wrote:
So the ResourceDigestGenerator obiously doesn't protect the class or
tml files for me here.
I am currently thinking of taking the webapplication down as there is
no way of securing passwords in this setting.
Is there a workaround?
I use a HttpServletRequestFilter to whit
lender-2 wrote:
>>
>> Ouch, now I get it. WEB-INF and all its contents are in fact visible,
>> directly below yourapp/assets/ctx//, and it's not hard
>> to find out the value of .
>>
>> Suggestions anyone?
>>
>
> --
&g
WEB-INF and all its contents are in fact visible,
> directly below yourapp/assets/ctx//, and it's not hard
> to find out the value of .
>
> Suggestions anyone?
>
--
View this message in context:
http://www.nabble.com/-T5
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
--
View this message in context:
http://www.nabble.com/-T5--Security-of-files-in-the-classpath-tp11816097p24965558.h
t;>>> hide it.
>>>>>
>>>>> That's a very good point. ;)
>>>>>
>>>>>> But I agree that the white list should authorize jokers to enable
>>>>>> "*.jpg" kind of filter (and if you name your confid
Em Fri, 14 Aug 2009 09:28:48 -0300, Geoff Callender
escreveu:
Isn't this simply due to a Maven convention which has passed its "use
by" date?
I don't think so.
Why not put .java, .tml, and .properties together in the source tree,
and compile them all into WEB-INF/classes/ where they're
For additional commands, e-mail: users-h...@tapestry.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
--
View th
ur secret weapon,
>>> whatever it is. :P
>>>
>>> Thiago
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>>> For additional commands, e-m
users-unsubscr...@tapestry.apache.org
>> For additional commands, e-mail: users-h...@tapestry.apache.org
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: use
I don't plan on changing the default configuration from whitelist to
blacklist... it's the fallback.
I'm a fan of "deny unless explicitly authorized", as well. The
AssetProtectionDispatcher
takes an ordered configuration of AssetPathAuthorizer's, with the
default whitelist implementation
bei
On Fri, 03 Aug 2007 10:03:37 -0300, Francois Armand <[EMAIL PROTECTED]>
wrote:
Thiago H de Paula Figueiredo wrote:
Would a black list intead of a white list better? I suppose there are
less files to hide than files to allow access.
Well, I think that one of the best principle in security is
Thiago H de Paula Figueiredo wrote:
Would a black list intead of a white list better? I suppose there are
less files to hide than files to allow access.
Well, I think that one of the best principle in security is "explicit
authorization" : you just do not want that a confidential file is
access
On Fri, 03 Aug 2007 05:33:55 -0300, Robert Zeigler <[EMAIL PROTECTED]>
wrote:
Nope. Zero configuration necessary for the basic functionality.
Keep in mind, however, that the default configuration is pretty
restrictive, since
it is whitelist-based, and the only entries added by default are t
ail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL P
t;>>> For additional commands, e-mail: [EMAIL PROTECTED]
>>>>>
>>>>>
>>>>
>>>>
>>>> -
>>>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>>>
Couple of comments...
First, the T5 asset service has the md5 feature. But the default
implementation, at the moment, only requires md5 hashing for
the .class files. (So, there's not an open door to the class bytes at
the moment. ;)
Second, I have a T5 app that should be going live in the n
> I have just tried to post but Apache's JIRA threw a NullPointerException .
> . .
That made me laugh.
It seems previous versions had problems with information hiding as well:
https://issues.apache.org/jira/browse/TAPESTRY-281
https://issues.apache.org/jira/browse/TAPESTRY-1175
Reminds me of the
On Fri, 27 Jul 2007 09:59:16 -0300, Robin Helgelin <[EMAIL PROTECTED]>
wrote:
If someone adds a JIRA issue I'm pretty sure Howard is able to solve
this in the best interests of T5.
I have just tried to post but Apache's JIRA threw a NullPointerException .
. .
Thiago
I just tried this on the tap 5 tutorial. Requesting the asset service
via /assests (http://localhost:8080/tapestry-tutorial1/assets/)
basically gives you a classpath listing, much like directory index. I
see log4j.properties and org. I can download the log4j - scary - and can
navigate through t
On 7/27/07, Chris Lewis <[EMAIL PROTECTED]> wrote:
> I'm quite new to Tapestry and just 2 days ago have started working with
> Tap 5. I realize the two (4 vs 5) are disparately different, but one of
> the things nice about the Tap 4 asset service was the checksum feature I
> mentioned that would de
I'm quite new to Tapestry and just 2 days ago have started working with
Tap 5. I realize the two (4 vs 5) are disparately different, but one of
the things nice about the Tap 4 asset service was the checksum feature I
mentioned that would deny access unless the sum in the url matched that
of the
On Thu, 26 Jul 2007 23:20:50 -0300, Robert Zeigler <[EMAIL PROTECTED]>
wrote:
Asset service doesn't really need a configuration point here, imo.
You can already make contributions to services that would allow you to
implement this sort of content filtering.
I agree up to a point. It's a co
Asset service doesn't really need a configuration point here, imo.
You can already make contributions to services that would allow you
to implement this sort of content filtering.
For instance, you could contribute a RequestFilter. Alternatively,
you could contribute a Dispatcher to teh Maste
Thiago, my apologies. You are correct. I would think this is big a
problem if you can't hide important files from users!
Dan
On 7/26/07, Thiago H de Paula Figueiredo <[EMAIL PROTECTED]> wrote:
On Thu, 26 Jul 2007 16:46:37 -0300, Daniel Jue <[EMAIL PROTECTED]> wrote:
> Hi, Just don't put con
On Thu, 26 Jul 2007 18:18:42 -0300, Chris Lewis
<[EMAIL PROTECTED]> wrote:
I think hat's a legitimate problem. I know in T4 a checksum was
generated by links to assets and then verified by tapestry before
yielding the actual asset (by verifying the sum). However the fact that
you can use
I think hat's a legitimate problem. I know in T4 a checksum was
generated by links to assets and then verified by tapestry before
yielding the actual asset (by verifying the sum). However the fact that
you can use the asset service to pull any arbitrary file out of the
classpath, even those tha
On Thu, 26 Jul 2007 16:46:37 -0300, Daniel Jue <[EMAIL PROTECTED]> wrote:
Hi, Just don't put configuration resources there.
I'm not sure you had understood what I've said.
My hibernate.cfg.xml is in /src/main/resources. So it is copied by
Eclipse/NetBeans/Maven/whatever to my webapp's clas
Hi, Just don't put configuration resources there. Here's what I use
(since I wrote it up heheh):
http://wiki.apache.org/tapestry/Tapestry5WhereToStoreConfigurationResources
http://wiki.apache.org/tapestry/Tapestry5WhereToStoreExternalResources
On 7/26/07, Thiago H de Paula Figueiredo <[EM
Hi!
I'm developing a Tapestry 5 application and I was looking at access to
assets via URLs. I typed http://localhost:8080/assets/tapestry/default.css
to take a look at T5 default CSS values.
Then I typed http://localhost:8080/assets/hibernate.cfg.xml . . . and it
showed that file. It's a
34 matches
Mail list logo
