Thanks for the detailed info, Alex. There is so much to learn. I hope this hole gets patched soon.
Benny On Thu, Sep 10, 2009 at 9:41 AM, Alex Kotchnev <akoch...@gmail.com> wrote: > Benny, > indeed that would be the case for a "traditional" web framework that > serves web application assets (e.g. stylesheets, images, javascript) only > from the publicly available directories (e.g. outside of WEB-INF). However, > because of T5's component nature , if you deployed a component (e.g. as a > jar in the web app) it might need to access assets from the classpath (e.g. > from the component jar). Hence, currently there is a wide gaping security > whole in a "stock" T5 application's Asset service, that it can access any > files on the classpath (e.g. property files, .tml source, etc). There is an > issue filed for this , some improvements in T5.1, and a few decent > solutions > (as the posting above mentions), but the framework is still very > vulnerable. > > > Cheers, > > Alex K > > On Thu, Sep 10, 2009 at 8:56 AM, Benny Law <benny.mk....@gmail.com> wrote: > > > Pardon me if I am mistaken, but shouldn't .class and .tml files be under > > WEB-INF and hence inaccessible automatically? > > > > Benny > > > > On Thu, Sep 10, 2009 at 2:52 AM, martijn.list <martijn.l...@gmail.com > > >wrote: > > > > > Angelo Chen wrote: > > > > > >> how to close access to ".class" and ".tml"? > > >> > > >> > > > > > > This has been posted to the list multiple times so I another time > > wouldn't > > > hurt ;) > > > > > > > > > I use the following code to whitelist some assets. Access to non white > > > listed assets is denied. > > > > > > Add to your application module: > > > > > > > > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", > > > "gif", "js", "css", "ico"}; > > > > > > /* > > > * All the assets that are allowed to be downloaded using the assets > > > service (including files without extension and dirs) > > > */ > > > private static final Set<String> assetsWhitelist = > > > Collections.synchronizedSet( > > > new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST))); > > > > > > public void > > > > > > contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter> > > > configuration, > > > @Inject @Value("${access-denied-page}") final String > > > accessDeniedPage) > > > { > > > /* > > > * Create a filter that will block access to some assets. The asset > > > service allows access to some assets we do > > > * not want to expose. The asset service will show all files in > > /assets/ > > > directory and allows you (by default) > > > * to download some files which you do not want to expose. > > > */ > > > HttpServletRequestFilter filter = new HttpServletRequestFilter() > > > { > > > public boolean service(HttpServletRequest request, > > > HttpServletResponse response, HttpServletRequestHandler handler) > > > throws IOException > > > { > > > String path = request.getServletPath(); > > > > > > if (path.startsWith("/assets") && > (!assetsWhitelist.contains( > > > > > > StringUtils.lowerCase(FilenameUtils.getExtension(path))))) > > > { > > > logger.warn("access to asset " + path + " denied"); > > > > > > response.sendRedirect(request.getContextPath() + "/" + > > > accessDeniedPage); > > > > > > return true; > > > } > > > > > > return handler.service(request, response); > > > } > > > }; > > > > > > configuration.add("AssetProtectionFilter", filter , "before:*"); > > > } > > > > > > > > > > > >> Sergey Didenko wrote: > > >> > > >>> BTW, it's worth to remind again everyone who is going to publish > their > > >>> site urls, to close the access to ".class" and ".tml" files . > > >>> > > >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti <mluse...@gmail.com> > > >>> wrote: > > >>> > > >>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula > > >>>> Figueiredo<thiag...@gmail.com> wrote: > > >>>> > > >>>> Hi! > > >>>>> > > >>>>> I guess this was already discussed some time ago, but I couldn't > find > > >>>>> it. :( > > >>>>> Anyway, it's been a long time, so let's get it started again. ;) > > >>>>> > > >>>>> Tapestry is a wonderful framework, but it isn't the best known one > > >>>>> around. > > >>>>> Sometimes, managers ask us to provide some projects/sites/success > > >>>>> stories/etc using it so they can be more confident about Tapestry. > > >>>>> There's a > > >>>>> Success Stories page in the wiki > > >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't > had > > >>>>> any > > >>>>> edit > > >>>>> since 2007-10-05. > > >>>>> > > >>>>> What about sharing your success stories with us, promoting Tapestry > > >>>>> (specially T5)? If the project is a public website, please post the > > URL > > >>>>> here. I think we should have a list of Tapestry-powered sites. > > >>>>> > > >>>>> Thanks in advance. > > >>>>> > > >>>> It would be great to have that page more up to date but i remember > > >>>> Howard asking for "private" user stories and more then one have > > >>>> replied him even personally so i guess if that would make sense too > to > > >>>> have that stories online. > > >>>> Do i remember correctly Howard? > > >>>> > > >>>> -- > > >>>> Massimo > > >>>> http://meridio.blogspot.com > > >>>> > > >>>> > --------------------------------------------------------------------- > > >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > >>>> For additional commands, e-mail: users-h...@tapestry.apache.org > > >>>> > > >>>> > > >>>> > --------------------------------------------------------------------- > > >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > >>> For additional commands, e-mail: users-h...@tapestry.apache.org > > >>> > > >>> > > >>> > > >>> > > >> > > > > > > -- > > > Djigzo open source email encryption > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > > > For additional commands, e-mail: users-h...@tapestry.apache.org > > > > > > > > >