On Thu, Jan 16, 2020 at 6:22 AM Nicolas Bouillon
wrote:
> Hi all,
>
Hello!
Thanks for posting your findings.
It should be noted that Tapestry considers anything under /WEB-INF/assets
are public files. In other words, files which are intended to be seen. So,
while it's not ideal to have file li
I believe Dmitry's solution will only work for assets on the classpath
(under src/main/resources/META-INF/assets), because it is a
ClasspathAssetProtectionRule. However, the same directory listing problem
seems to exist for context asset directories (subdirectories under
src/main/webapp), so a diff
My previous rule didn't work for JAR resources, here's an improved version
of regex pattern rule:
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.ioc.annotations.Symbol;
import org.apache.tapestry5.services.ClasspathAssetProtectionRule;
import java.util.regex.Matcher;
imp
Looking a bit further, it does make sense to me to block all directory
requests in ClasspathAssetRequestHandler by default,
as directory listing is not something you'd expect to receive via HTTP.
That workaround won't work if you have folder with dot in the name though,
so something more type-safe
Hi,
Thank you for the quick reply, I've added the following rule in my AppModule.
@Contribute(ClasspathAssetProtectionRule.class)
public static void contributeClasspathAssetProtectionRule(
OrderedConfiguration configuration)
{
ClasspathAssetProtectionRule fileWithDot = (s) ->
!s.toLowe
Hi,
I wasn't aware of it, thanks for bringing it up.
>From what I found in code, AssetsModule contributes three asset protection
rules: for .xml, .class, and .properties files:
public static void contributeClasspathAssetProtectionRule(
OrderedConfiguration configuration)
{
ClasspathA
Hi all,
Following a pen-test of our application, it has been raised that the
list of assets if visible as a directory listing.
For example, we have a javascript file available at this location
/assets/meta/z58f7f3d4/javascript/library.js but when we access
/assets/meta/z58f7f3d4/javascript/ the w