On Wed, 24 Nov 2010 22:13:03 -0200, Paul Stanton <p...@mapshed.com.au>
wrote:
I've just noticed in one of my apps (T5.1.0.5) is allowing not only
directory listing via the "assets" servlet (i know it's not a servlet as
such) including access to directory listing and files within WEB-INF.
You can even download .class files.
This is a known problem in 5.1.0.5 which, as far as I know, was fixed in
5.2. There are some solutions if you search the mailing list or JIRA. I
use this in a project, inside a RequestFilter:
String path = request.getPath();
if (path.endsWith(RequestConstants.ASSET_PATH_PREFIX)) {
response.setStatus(403);
return true;
}
else if (path.startsWith(RequestConstants.ASSET_PATH_PREFIX)) {
if (path.contains("WEB-INF") || path.endsWith("hibernate.cfg.xml") ||
path.endsWith(".class") || path.endsWith(".tml") ||
path.endsWith("salt.properties") || path.contains("META-INF")) {
response.setStatus(403);
return true;
}
return false;
}
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, Ars Machina Tecnologia da Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
