On Fri, May 28, 2021 at 9:41 AM Reinhold Gruber <herr_re...@gmx.at> wrote:
> Hi! > Hello! > > Some emergency. Any help highly appreciated. > The AssetDispatcher in Tapestry 5.3.8 allows harmful requests, reading > contents from WEB-INF etc. > We currently do not have the time to update to the newest Tapestry version > and we need to to something quick, right now. > So I would like to ask how the current AssetDispatcher can be replaced by > a more secure version? > What needs to be done in the application module class. Tried there various > things but did not make it work. > Does anyone maybe have already a patched class handy? > I suggest you try something different: instead of trying to override AssetDispatcher, contribute a new Dispatcher before AssetDispatcher that blocks requests to WEB-INF, META-INF and any other file that you don't want to make public. You can do something simple but effective by just using usual string matching functions like String.contains() (with WEB-INF and META-INF) and String.endsWith() (with .properties, .class, .xml, etc) and call Response.sendError(404, "some message"). > > Best Regards, > Reinhold > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org > For additional commands, e-mail: users-h...@tapestry.apache.org > > -- Thiago