On Thu, Jan 16, 2020 at 6:22 AM Nicolas Bouillon <nico...@bouillon.net> wrote:
> Hi all, > Hello! Thanks for posting your findings. It should be noted that Tapestry considers anything under /WEB-INF/assets are public files. In other words, files which are intended to be seen. So, while it's not ideal to have file listings, I wouldn't consider something problematic. > > Following a pen-test of our application, it has been raised that the > list of assets if visible as a directory listing. > > For example, we have a javascript file available at this location > /assets/meta/z58f7f3d4/javascript/library.js but when we access > /assets/meta/z58f7f3d4/javascript/ the web server lists all files > available in META-INF.assets.javascript directory of the project. > > Do you know how to prevent this listing? > > Looks like to me it's happening in > > org.apache.tapestry5.internal.services.assets.ClasspathAssetRequestHandler#handleAssetRequest > and then in > org.apache.tapestry5.internal.services.ResourceStreamerImpl#streamResource(org.apache.tapestry5.ioc.Resource, > org.apache.tapestry5.services.assets.StreamableResource, > java.lang.String, > > java.util.Set<org.apache.tapestry5.internal.services.ResourceStreamer.Options>) > > Thank you, > Nicolas. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Thiago
