Em Tue, 25 Aug 2009 10:25:21 -0300, Onno Scheffers <o...@piraya.nl> escreveu:

Apparently it does, since Christian also provided example-links.

I stand corrected.

I just checked and I can also publicly access resources like the web.xml and hibernate.cfg.xml on a webapp that is already in production using Tapestry 5.0.18. This is a *VERY* high priority security-issue with Tapestry IMO.

Have you ever found some insecure resource URL that doesn't include WEB-INF on it?

--
Thiago H. de Paula Figueiredo
Independent Java consultant, developer, and instructor
http://www.arsmachina.com.br/thiago

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Reply via email to