Re: context asset servlet gives directory listing and access to WEB-INF

[Paul Stanton]

Thanks Thiago,

I have added the following to my AppModule.
    public RequestFilter buildAccessFilter(final Context context)
    {
        return new RequestFilter()
        {
            @Override
            public boolean service(Request request, Response response, 
RequestHandler handler) throws IOException
            {
                String path = request.getPath();
                String contextAssetPath = 
RequestConstants.ASSET_PATH_PREFIX + RequestConstants.CONTEXT_FOLDER;

                if (path.startsWith(contextAssetPath))
                {
                    if (path.contains("WEB-INF") || 
path.contains("META-INF"))
                    {
                        LOG.debug("attempted access to protected 
resource: " + path);
                        response.setStatus(403);
                        return true;
                    }

                    String realPath = 
path.substring(contextAssetPath.length());
                    realPath = realPath.substring(path.indexOf('/')); 
// remove version
                    File file = context.getRealFile(realPath);

                    if (!file.exists() || file.isDirectory())
                    {
                        LOG.debug("attempted access to protected 
resource: " + path);
                        response.setStatus(403);
                        return true;
                    }
                }

                LOG.trace("allowed " + path);
                return handler.service(request, response);
            }
        };
    }

    public void 
contributeRequestHandler(OrderedConfiguration<RequestFilter> 
configuration, @InjectService("AccessFilter") RequestFilter filter)
    {
        configuration.add("AccessFilter", filter);
    }

On 25/11/2010 11:26 AM, Thiago H. de Paula Figueiredo wrote:
On Wed, 24 Nov 2010 22:13:03 -0200, Paul Stanton <p...@mapshed.com.au> 
wrote:

I've just noticed in one of my apps (T5.1.0.5) is allowing not only 
directory listing via the "assets" servlet (i know it's not a servlet 
as such) including access to directory listing and files within 
WEB-INF. You can even download .class files.

This is a known problem in 5.1.0.5 which, as far as I know, was fixed 
in 5.2. There are some solutions if you search the mailing list or 
JIRA. I use this in a project, inside a RequestFilter:


        String path = request.getPath();

        if (path.endsWith(RequestConstants.ASSET_PATH_PREFIX)) {
            response.setStatus(403);
            return true;
        }
        else if (path.startsWith(RequestConstants.ASSET_PATH_PREFIX)) {

            if (path.contains("WEB-INF") || 
path.endsWith("hibernate.cfg.xml") || path.endsWith(".class") || 
path.endsWith(".tml") || path.endsWith("salt.properties") || 
path.contains("META-INF")) {
                response.setStatus(403);
                return true;
            }

            return false;

        }


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org