I see that the UnprotectedAssets regular expressions have been updated
in tapestry.asset.xml to the following:
<unprotected-resource contains="/tapestry/" />
<unprotected-resource contains="/dojo/" />
I can't tell if this was in response to my original post. The comment
is:
"Fixed regexp issues found only when running server on windows."
The Jakata-ORO regexp engine is written in Java so I don't know how
windows would be involved.
Anyway, the issue that I mentioned in the original post still exists.
Regexp.contains("/com/company/tapestry/database.class", "/tapestry/")
will return true and allow the asset to be retrieved without a digest.
The contains method will search anywhere in the search text for a match.
The / at the beginning of /tapestry does not anchor the search to the
beginning of the search text.
That is why I suggested adding a ^ (caret) in front of the leading /.
The ^ will anchor the search to the beginning of the search text.
With the ^ added, the above example will then return false so that
arbitrary files that happen to have the word tapestry further down their
path will not be served up by the asset service.
<unprotected-resource contains="^/tapestry/" />
<unprotected-resource contains="^/dojo/" />
Thanks,
Bruce Myers
bruce.myers at opensolutions.com
-----Original Message-----
From: Bruce Myers
Sent: Wednesday, November 15, 2006 4:55 PM
To: '[email protected]'
Subject: 4.1 UnprotectedAssets Contribution Security Issue
Hi,
I believe there is a security issue with the regular expressions in the
UnprotectedAssets contribution in the tapestry.asset.xml hivemind
module.
<contribution configuration-id="UnprotectedAssets">
List of unprotected asset regexps for ResourceMatcher service.
<unprotected-resource contains="tapestry/*" />
<unprotected-resource contains="dojo/*" />
</contribution>
PatternMatcher.contains(String input, Pattern pattern) will search
anywhere in the input for the pattern.
Example:
contains("/com/company/tapestry/database.class", "tapestry/*") will
return true and allow the asset to be retrieved without a digest.
I would like to suggest adding a ^/ to the beginning of the expressions.
Example:
<unprotected-resource contains="^/tapestry/*" />
<unprotected-resource contains="^/dojo/*" />
I don't know what benefit the * on the end of the expressions is
providing. It will match 0 or more /'s.
Thanks,
Bruce Myers
Sr. Software Engineer
Open Solutions COWWW Software
Email: bruce.myers at opensolutions.com
NOTICE:
This e-mail is intended solely for the use of the individual to whom it is
addressed and may contain information that is privileged, confidential or
otherwise exempt from disclosure. If the reader of this e-mail is not the
intended recipient or the employee or agent responsible for delivering the
message to the intended recipient, you are hereby notified that any
dissemination, distribution, or copying of this communication is strictly
prohibited. If you have received this communication in error, please
immediately notify us by replying to the original message at the listed email
address. Thank You.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
