Re: Preventing directory list
That seems to be it. Thanks! -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing directory list
Hi! Since this is not something wicket core provides, I did a google search for you (“wicket directory listing”). This was the first hit: http://apache-wicket.1842946.n4.nabble.com/Directory-Listings-td4661117.html It looks like this is the culprit: — I believe I found the problem. It appears Wicket does not really pass non-Wicket requests back to a default handler, but handles them by itself in fallback() by using getResourceAsStream() and in this case, for directories, WebSphere returns a listing regardless of its own directoryBrowsingEnabled setting. — Alas, that thread does not provide a fix. Although I do interpret the thread as if this is only a problem with using a wicket servlet, instead of a wicket filter. Are you using the servlet or filter? Met vriendelijke groet, Kind regards, Bas Gooren Op 13 februari 2018 bij 20:13:25, Entropy (blmulholl...@gmail.com) schreef: Pretty sure WAS is getting the config. When I comment out all wicket stuff from web.xml, and just run a bare bones EAR, I type: http://localhost:9080/MyApp/images/info1.png And i get that image (thus proving it's responding) I drop to: http://localhost:9080/MyApp/images/ and I get 404. Put Wicket back in place and run the same test and get: ajax-loader.gif info1.png mainLogoHeader_01.png mainLogoHeaderTrans_01.png ui-icons_44_256x240.png ui-icons_55_256x240.png ui-icons_777620_256x240.png ui-icons_77_256x240.png ui-icons_cc_256x240.png ui-icons_ff_256x240.png There's no other filter or servlet in the web.xml at all. Normally there's an anti-XSS filter, but I took that out prior to running this test. br/> < Anyway, that's why I think it's Wicket. Or something the presence of Wicket is allowing. -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing directory list
Pretty sure WAS is getting the config. When I comment out all wicket stuff from web.xml, and just run a bare bones EAR, I type: http://localhost:9080/MyApp/images/info1.png And i get that image (thus proving it's responding) I drop to: http://localhost:9080/MyApp/images/ and I get 404. Put Wicket back in place and run the same test and get: ajax-loader.gif info1.png mainLogoHeader_01.png mainLogoHeaderTrans_01.png ui-icons_44_256x240.png ui-icons_55_256x240.png ui-icons_777620_256x240.png ui-icons_77_256x240.png ui-icons_cc_256x240.png ui-icons_ff_256x240.png There's no other filter or servlet in the web.xml at all. Normally there's an anti-XSS filter, but I took that out prior to running this test. Anyway, that's why I think it's Wicket. Or something the presence of Wicket is allowing. -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing directory list
Hi, Yes I’m quite sure Wicket is not doing this; I’ve perused the source code many times (especially the resource handling parts), and there is no code for listings. Furthermore, since listings can pose a security risk, there would be a setting to disable this; Such a setting is not available. Are you certain web sphere is picking up your configuration? Met vriendelijke groet, Kind regards, Bas Gooren Op 13 februari 2018 bij 17:12:19, Entropy (blmulholl...@gmail.com) schreef: But I have "/*" mapped t the wicket servlet. /images is under "/*". I have no servlet mapping enabling /images or other subdirs. further, we're in websphere and in the ibm-web-ext.xml we have directory browsing set to false. You're certain Wicket doesn't do this? I tried removing my wicket servlet and getting to the images folder and it didn't work. We're in Wicket 6 if it matters. -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing directory list
But I have "/*" mapped t the wicket servlet. /images is under "/*". I have no servlet mapping enabling /images or other subdirs. further, we're in websphere and in the ibm-web-ext.xml we have directory browsing set to false. You're certain Wicket doesn't do this? I tried removing my wicket servlet and getting to the images folder and it didn't work. We're in Wicket 6 if it matters. -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Re: Preventing directory list
Hi! For as far as I know, wicket does not provide any directory listings; I suspect this is either your application server, or your webserver which responds with a directory listing. Met vriendelijke groet, Kind regards, Bas Gooren Op 13 februari 2018 bij 16:44:43, Entropy (blmulholl...@gmail.com) schreef: The SecurePackageResourceGuard prevents access to files by extension, but I notice that when I type /images into my URL, I get a sort of directory listing of files under that folder. True, they're all public files, but I don't want people to get a listing like that. How can I direct the resource guard to not allow directory listings for ANY directory? -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
Preventing directory list
The SecurePackageResourceGuard prevents access to files by extension, but I notice that when I type /images into my URL, I get a sort of directory listing of files under that folder. True, they're all public files, but I don't want people to get a listing like that. How can I direct the resource guard to not allow directory listings for ANY directory? -- Sent from: http://apache-wicket.1842946.n4.nabble.com/Users-forum-f1842947.html - To unsubscribe, e-mail: users-unsubscr...@wicket.apache.org For additional commands, e-mail: users-h...@wicket.apache.org
