Thanks for the detailed info, Alex. There is so much to learn. I hope this
hole gets patched soon.
Benny
On Thu, Sep 10, 2009 at 9:41 AM, Alex Kotchnev <akoch...@gmail.com> wrote:
> Benny,
> indeed that would be the case for a "traditional" web framework that
> serves web application assets (e.g. stylesheets, images, javascript) only
> from the publicly available directories (e.g. outside of WEB-INF). However,
> because of T5's component nature , if you deployed a component (e.g. as a
> jar in the web app) it might need to access assets from the classpath (e.g.
> from the component jar). Hence, currently there is a wide gaping security
> whole in a "stock" T5 application's Asset service, that it can access any
> files on the classpath (e.g. property files, .tml source, etc). There is an
> issue filed for this , some improvements in T5.1, and a few decent
> solutions
> (as the posting above mentions), but the framework is still very
> vulnerable.
>
>
> Cheers,
>
> Alex K
>
> On Thu, Sep 10, 2009 at 8:56 AM, Benny Law <benny.mk....@gmail.com> wrote:
>
> > Pardon me if I am mistaken, but shouldn't .class and .tml files be under
> > WEB-INF and hence inaccessible automatically?
> >
> > Benny
> >
> > On Thu, Sep 10, 2009 at 2:52 AM, martijn.list <martijn.l...@gmail.com
> > >wrote:
> >
> > > Angelo Chen wrote:
> > >
> > >> how to close access to ".class" and ".tml"?
> > >>
> > >>
> > >
> > > This has been posted to the list multiple times so I another time
> > wouldn't
> > > hurt ;)
> > >
> > >
> > > I use the following code to whitelist some assets. Access to non white
> > > listed assets is denied.
> > >
> > > Add to your application module:
> > >
> > >
> > > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> > > "gif", "js", "css", "ico"};
> > >
> > > /*
> > > * All the assets that are allowed to be downloaded using the assets
> > > service (including files without extension and dirs)
> > > */
> > > private static final Set<String> assetsWhitelist =
> > > Collections.synchronizedSet(
> > > new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));
> > >
> > > public void
> > >
> >
> contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter>
> > > configuration,
> > > @Inject @Value("${access-denied-page}") final String
> > > accessDeniedPage)
> > > {
> > > /*
> > > * Create a filter that will block access to some assets. The asset
> > > service allows access to some assets we do
> > > * not want to expose. The asset service will show all files in
> > /assets/
> > > directory and allows you (by default)
> > > * to download some files which you do not want to expose.
> > > */
> > > HttpServletRequestFilter filter = new HttpServletRequestFilter()
> > > {
> > > public boolean service(HttpServletRequest request,
> > > HttpServletResponse response, HttpServletRequestHandler handler)
> > > throws IOException
> > > {
> > > String path = request.getServletPath();
> > >
> > > if (path.startsWith("/assets") &&
> (!assetsWhitelist.contains(
> > >
> > > StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
> > > {
> > > logger.warn("access to asset " + path + " denied");
> > >
> > > response.sendRedirect(request.getContextPath() + "/" +
> > > accessDeniedPage);
> > >
> > > return true;
> > > }
> > >
> > > return handler.service(request, response);
> > > }
> > > };
> > >
> > > configuration.add("AssetProtectionFilter", filter , "before:*");
> > > }
> > >
> > >
> > >
> > >> Sergey Didenko wrote:
> > >>
> > >>> BTW, it's worth to remind again everyone who is going to publish
> their
> > >>> site urls, to close the access to ".class" and ".tml" files .
> > >>>
> > >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti <mluse...@gmail.com>
> > >>> wrote:
> > >>>
> > >>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
> > >>>> Figueiredo<thiag...@gmail.com> wrote:
> > >>>>
> > >>>> Hi!
> > >>>>>
> > >>>>> I guess this was already discussed some time ago, but I couldn't
> find
> > >>>>> it. :(
> > >>>>> Anyway, it's been a long time, so let's get it started again. ;)
> > >>>>>
> > >>>>> Tapestry is a wonderful framework, but it isn't the best known one
> > >>>>> around.
> > >>>>> Sometimes, managers ask us to provide some projects/sites/success
> > >>>>> stories/etc using it so they can be more confident about Tapestry.
> > >>>>> There's a
> > >>>>> Success Stories page in the wiki
> > >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't
> had
> > >>>>> any
> > >>>>> edit
> > >>>>> since 2007-10-05.
> > >>>>>
> > >>>>> What about sharing your success stories with us, promoting Tapestry
> > >>>>> (specially T5)? If the project is a public website, please post the
> > URL
> > >>>>> here. I think we should have a list of Tapestry-powered sites.
> > >>>>>
> > >>>>> Thanks in advance.
> > >>>>>
> > >>>> It would be great to have that page more up to date but i remember
> > >>>> Howard asking for "private" user stories and more then one have
> > >>>> replied him even personally so i guess if that would make sense too
> to
> > >>>> have that stories online.
> > >>>> Do i remember correctly Howard?
> > >>>>
> > >>>> --
> > >>>> Massimo
> > >>>> http://meridio.blogspot.com
> > >>>>
> > >>>>
> ---------------------------------------------------------------------
> > >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > >>>> For additional commands, e-mail: users-h...@tapestry.apache.org
> > >>>>
> > >>>>
> > >>>>
> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > >>> For additional commands, e-mail: users-h...@tapestry.apache.org
> > >>>
> > >>>
> > >>>
> > >>>
> > >>
> > >
> > > --
> > > Djigzo open source email encryption
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > > For additional commands, e-mail: users-h...@tapestry.apache.org
> > >
> > >
> >
>
