Hi! AssetDispatcher is a regular tapestry service, I'd expect that you can replace it with your own implementation using service overrides: https://tapestry.apache.org/ioc-cookbook-overriding-ioc-services.html
The service is bound with marker annotation and AssetRequestDispatcher.class, with id=AssetDispatcher. You can try the latest implementation from 5.6 branch, it should be compatible with 5.3 I think: https://github.com/apache/tapestry-5/blob/5.6.x/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/AssetDispatcher.java Hope this helps, Dmitry On Fri, May 28, 2021 at 1:41 PM Reinhold Gruber <herr_re...@gmx.at> wrote: > Hi! > > Some emergency. Any help highly appreciated. > The AssetDispatcher in Tapestry 5.3.8 allows harmful requests, reading > contents from WEB-INF etc. > We currently do not have the time to update to the newest Tapestry version > and we need to to something quick, right now. > So I would like to ask how the current AssetDispatcher can be replaced by > a more secure version? > What needs to be done in the application module class. Tried there various > things but did not make it work. > Does anyone maybe have already a patched class handy? > > Best Regards, > Reinhold > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Dmitry Gusev AnjLab Team http://anjlab.com
