since it returns 403 also on non-existent resources, an attacker wouldn't know whether the resource
he requested actually exists.
Am 10.11.2009 17:23 schrieb Andreas Andreou:
hmm, i'd argue it needs to return a 404 error though, so as not to give
attackers a way to know which libraries/jars/resources exist...
On Tue, Nov 10, 2009 at 2:52 PM, Ulrich Stärk <[email protected]> wrote:
ust tested it in trunk, works as expected: Trying to access templates and
other stuff, as well as directory listings result in a 403. An integration
test making sure that the protection isn't accidentally removed again would
be nice though.
Uli
Am 10.11.2009 11:28 schrieb Massimo Lusetti:
On Mon, Nov 9, 2009 at 6:23 PM, <[email protected]> wrote:
Author: robertdzeigler
Date: Mon Nov 9 17:23:10 2009
New Revision: 834151
URL: http://svn.apache.org/viewvc?rev=834151&view=rev
Log:
TAP5-815: Asset dispatcher allows any file inside the webapp visible and
downloadable (5.2 branch)
Looking for testing this one soon but thanks for the work! Especially
for (back)porting to the other two dev branch.
Cheers
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
