I must say I was a little bit shocked when I heard about this security
hole and found an easy way within httpd (mod_rewrite) to circumvene this
problem at first.
Thinking about how it should be I would prefer the 'blacklist
everything'-approach. This way a dev never has to worry about what's
Ah, right... blackbird was introduced in 5.1.
I could probably check for the symbol in the module and provide it if
it doesn't otherwise exist.
Robert
On Aug 27, 2009, at 8/2712:44 AM , Alex Kotchnev wrote:
@Robert,
thanks for releasing the 1.0.0 version. I added it, it seems to
work OK
@Robert,
thanks for releasing the 1.0.0 version. I added it, it seems to work OK,
with a minor issue. I'm using 5.0.18, and when I try to access a resource
that shouldn't be accessible, I get the following exception:
- org.apache.tapestry5.ioc.internal.OperationExceptionSymbol
'tapestry.
I rescind this comment; just duplicated it. ;)
Robert
On Aug 26, 2009, at 8/262:08 PM , Robert Zeigler wrote:
Agreed that it's tedious but better to whitelist (cf my e-mail from
2007 where I expressed my personal preference for whitelisting).
I've been playing around with this a bit... have y
Agreed that it's tedious but better to whitelist (cf my e-mail from
2007 where I expressed my personal preference for whitelisting).
I've been playing around with this a bit... have you demonstrated the
vulnerability in WEB-INF and, eg, template files? I just tried, but
couldn't duplicate...
You'd still have to write them. The framework default is to allow access to sensitive files. That's
the problem here.
On 26.08.2009 20:43 schrieb Thiago H. de Paula Figueiredo:
Em Wed, 26 Aug 2009 15:09:08 -0300, Ulrich Stärk
escreveu:
There is no framework solution for context assets.
Reso
Robert,
While whitelisting a lot of extensions might seem tedious, it's a lot less painful than to forget to
blacklist the one file that someone might use to compromise the security of your whole web app.
The problem we have is that all Tapestry applications are insecure *by default* at the mo
Em Wed, 26 Aug 2009 15:09:08 -0300, Ulrich Stärk
escreveu:
There is no framework solution for context assets.
ResourceDigestGenerator is purely for classpath assets.
There are two: a RequestFilter or a Dispatcher.
--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, an
There is no framework solution for context assets. ResourceDigestGenerator is purely for classpath
assets.
Uli
On 26.08.2009 19:55 schrieb Robert Zeigler:
Try version 1.0.0, just released today. ;)
See my comment on issue 815 for the maven url, artifact id, etc.
In any event, there's a framew
Try version 1.0.0, just released today. ;)
See my comment on issue 815 for the maven url, artifact id, etc.
In any event, there's a framework solution in place already... it's
just that it's a blacklist-based solution instead of a whitelist-based
solution. Although whitelist-based security t
>
> The Tapestry asset feature is used even when you use files from the context
> (asset:context:something.jpg).
Yes, but does that mean js-files and css-files etc. should be whitelisted by
default? Normally if Tapestry encounters an asset:-statement, it knows the
asset should be whitelisted. In
I really like to hear what the other devs (apart from Thiago) are thinking about this, whether there
are objections against what I proposed or if you think there are better solutions. This really needs
fixing ASAP.
Cheers,
Uli
On 26.08.2009 13:41 schrieb Ulrich Stärk:
> I think that's way too
Em Wed, 26 Aug 2009 11:10:17 -0300, Onno Scheffers
escreveu:
I think not even css-files, js-files and png-files should be whitelisted
by default to be honest. We already have a way of making such files
public: put them in the public web context.
The Tapestry asset feature is used even wh
On Wed, Aug 26, 2009 at 3:57 PM, Ulrich Stärk wrote:
> I really like to hear what the other devs (apart from Thiago) are thinking
> about this, whether there are objections against what I proposed or if you
> think there are better solutions. This really needs fixing ASAP.
I think not even css
Yes, Alex, the thread is from 2007, but the workaround that Martijn also
lists here has been posted to the thread just 2 weeks ago.
I use it in my current T5.1 application and it works fine!
martijn.list schrieb:
Alex Kotchnev wrote:
Christian,
you seem to indicate that there's an easy fix
I think that's way too complicated. Keep it simple:
a) blacklist everything and let the user contribute filenames, file extensions or paths to some
whitelisting service (already having some reasonable defaults like .css, .js, .png, ...) which
AssetSource queries before returning an Asset
b) res
>
> I agree. My suggestion to TAP-815 was:
>
> "I would suggest to have a chain of command, each object in it receiving
> the requested URL and responding true (ok), false (file is forbidden) or
> null (this object doesn't handle this URL, ask the same thing to the next
> object. This chain of comm
Em Wed, 26 Aug 2009 04:12:29 -0300, Onno Scheffers
escreveu:
@Thiago
How about allowing absolutely nothing from the classpath/WEB-INF
initially?
Directory listing should also be disabled.
I agree. My suggestion to TAP-815 was:
"I would suggest to have a chain of command, each object in
Hi Dmitry,
thanks for this information. 20 seconds to first page is indeed pretty long,
but if you use a cron-job to keep the application warm, the long startup
time is less of an issue. This was one of my major doubts about Tapestry on
GAE, but your approach seems like a very good work-around.
r
It tooks 15 seconds to startup the instance + 5 seconds to render the first
page (same on my development laptop and GAE cloud)
Thats pretty long but I guess the bottleneck here is not in tapestry but
rather in spring.
As for cleaning up an instance after it's not being used - I can't tell you,
th
Alex Kotchnev wrote:
Christian,
you seem to indicate that there's an easy fix for this on the mailing
list; however, the last discussion there is from around 2007; the module
that Robert is referring to is out of date (e.g. referring to old package
names, etc). Any other tips on addressing thi
> Everyone is invited to contribute to the solution by posting all the ways
we can have access to assets that shouldn't be available. ;)
@Thiago
How about allowing absolutely nothing from the classpath/WEB-INF initially?
Directory listing should also be disabled.
When a page or component comes alo
Dmitry,
extremely cool tip, the hack to get the local dev app server running is
highly appreciated !
Cheers,
Alex K
On Tue, Aug 25, 2009 at 8:12 AM, Dmitry Gusev wrote:
> FYI
>
> Here is the running t5 app: http://ping-service.appspot.com/
>
> It uses T5.0.18 + Spring 3.0.0M4/JPA + Google
>
Christian,
you seem to indicate that there's an easy fix for this on the mailing
list; however, the last discussion there is from around 2007; the module
that Robert is referring to is out of date (e.g. referring to old package
names, etc). Any other tips on addressing this ?
I'm completely
Em Tue, 25 Aug 2009 11:01:58 -0300, Christian Riedel
escreveu:
In the link I posted in my first reply, there are some T5.0.18 sites
that don't list WEB-INF, in some you can find the hibernate.cfg.xml
under /assets/, in some you don't.
Some also seem to implement the workaround, so there is
In the link I posted in my first reply, there are some T5.0.18 sites
that don't list WEB-INF, in some you can find the hibernate.cfg.xml
under /assets/, in some you don't.
Some also seem to implement the workaround, so there isn't any directory
listing.
But hey, the *default* is, everybody can
Em Tue, 25 Aug 2009 10:25:21 -0300, Onno Scheffers
escreveu:
Apparently it does, since Christian also provided example-links.
I stand corrected.
I just checked and I can also publicly access resources like the web.xml
and hibernate.cfg.xml on a webapp that is already in production using
>
> AFAIK, this issue doesn't affect T5.0.18, as it happens only with versioned
> assets, something that was introduced in T5.1.
Apparently it does, since Christian also provided example-links.
I just checked and I can also publicly access resources like the web.xml and
hibernate.cfg.xml on a we
Apparently it is also affecting 5.0.18, since you can browse Dimitry's
assets and read the persistence.xml for example.
Thiago H. de Paula Figueiredo schrieb:
Em Tue, 25 Aug 2009 09:44:35 -0300, Christian Riedel
escreveu:
FYI you should (all) be aware of TAP-815*! Your assets** are readable
Em Tue, 25 Aug 2009 09:44:35 -0300, Christian Riedel
escreveu:
FYI you should (all) be aware of TAP-815*! Your assets** are readable
for everybody!
AFAIK, this issue doesn't affect T5.0.18, as it happens only with
versioned assets, something that was introduced in T5.1.
--
Thiago H. de
FYI you should (all) be aware of TAP-815*! Your assets** are readable
for everybody!
It is certainly not as critical as in some pages named in this thread***
but in general it could cause some bad reputation for T5.
Apart from that I just can say: nice work! ;)
*jira ticket:
https://issues.ap
FYI
Here is the running t5 app: http://ping-service.appspot.com/
It uses T5.0.18 + Spring 3.0.0M4/JPA + Google
Datastore/Mail/Cron/URLFetch/Google Accounts Security
Works pretty well.
I had to implement some hacks to develope with t5 on local dev server (t5
error page refuse to work properly th
32 matches
Mail list logo
