[
https://issues.apache.org/jira/browse/TAP5-815?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12747886#action_12747886
]
Thiago H. de Paula Figueiredo commented on TAP5-815:
----------------------------------------------------
I agree with Ulrich that a whitelist approach is probably the best one, but
allowing onle access to assets used in pages is too restrictive IMHO. It would
make working with anything that isn't a Tapestry page a hassle. I would suggest
to have a chain of command, each object in it receiving the requested URL and
responding true (ok), false (file is forbidden) or null (this object doesn't
handle this URL, ask the same thing to the next object. This chain of command
terminator would be a very restrictive one.
> Asset dispatcher allows any file inside the webapp visible and downloadable
> ---------------------------------------------------------------------------
>
> Key: TAP5-815
> URL: https://issues.apache.org/jira/browse/TAP5-815
> Project: Tapestry 5
> Issue Type: Bug
> Affects Versions: 5.1.0.5
> Reporter: Thiago H. de Paula Figueiredo
> Priority: Blocker
>
> Take any asset and you have an URL like
> domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request
> domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files
> inside the webapp root is shown. It gives you the hint at downloading any
> file you want, including anyting inside WEB-INF and assets that should be
> protected by ResourceDigestGenerator.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
