Thiago, I do want to make sure i disallow directory listings.
agree there is potential for bottleneck so I have changed to:
public boolean service(Request request, Response response,
RequestHandler handler) throws IOException
{
String path = request.getPath();
String contextAssetPath = RequestConstants.ASSET_PATH_PREFIX +
RequestConstants.CONTEXT_FOLDER;
if (path.startsWith(contextAssetPath))
{
if (path.contains("WEB-INF") || path.contains("META-INF"))
return fail(request, response);
// basic test for a file with an extension - avoids
creating a new file
// (not fool proof but problems will be obvious in testing)
String last = path.substring(path.length() - 5);
if (!last.contains("."))
return fail(request, response);
}
LOG.trace("allowed " + path);
return handler.service(request, response);
}
On 26/11/2010 8:03 AM, Thiago H. de Paula Figueiredo wrote:
On Thu, 25 Nov 2010 18:24:39 -0200, Paul Stanton <p...@mapshed.com.au>
wrote:
Yes tested and it works.
Yay! :)
I figured since I'm only executing the logic for things that start
with /asset/ctx/ the overhead shouldn't be noticeable, however on
second thought maybe this isn't a good idea?
There's a possibility it creates a bottleneck, as you're going to the
file system once before the request is handled normally or access is
denied. Of course, it depends on the number of context assets you use,
etc. If it's in the context and it isn't inside WEB-INF, it's probably
meant to be public, so I wouldn't do this check in your scenario.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
