I've just noticed in one of my apps (T5.1.0.5) is allowing not only
directory listing via the "assets" servlet (i know it's not a servlet as
such) including access to directory listing and files within WEB-INF.
You can even download .class files.
It is a slightly non standard configuration in that there are a lot of
files under 'webapp' and that libraries are stored in WEB-INF/lib and
classes in WEB-INF/classes.
I decided to test the 'sites using tapestry' listed on the tapestry
homepage to see whether it is a general tapestry issue and although none
expose the internals of WEB-INF, some do provide directory listings:
http://www.cubiculus.com/
disallows dir listing completely
http://www.yanomo.com/
allows dir listing - http://www.yanomo.com/assets/0.9.9/ctx/
disallows WEB-INF access - http://www.yanomo.com/assets/0.9.9/ctx/WEB-INF/
http://recurtrack.com/
allows dir listing - http://recurtrack.com/assets/1.7/ctx/
disallows WEB-INF access http://recurtrack.com/assets/1.7/ctx/WEB-INF/
So my question is, how do I turn off directory listings and how do I
stop access within WEB-INF and META-INF?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
