... not sure how this works in T5 - so, perhaps it also makes sense there...
So, I was taking a look at
https://issues.apache.org/jira/browse/TAPESTRY-1306
which basically says that lots of exception messages are shown on the
server console whenever a
(protected) resource is not found and i've noticed the following:
-) First of all (and the cause of that bug) we call the MD5 even if the
resource doesn't exist. This causes
an ApplicationRuntimeException which forces the AssetService to
terminate its service method. The side
effects are: a) the previously stated error messages on the server b)
the response is 200 instead of 404
I've already got a patch for this.
-) Secondly, I noticed that we return a 403 error if the resource exists
but the MD5 digest is incorrect.
I now see that this is a potential vulnerability... for instance i can
try requesting folders like
/org/hibernate/ or /org/apache/ibatis/ and understand what kind of
technologies are used by a T4 site.
I haven't done any changes here - but i think returning a 404 is correct.
What do you guys think?
--
Andreas Andreou - [EMAIL PROTECTED] - http://andyhot.di.uoa.gr
Tapestry / Tacos developer
Open Source / JEE Consulting
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
