Yes, Alex, the thread is from 2007, but the workaround that Martijn also lists here has been posted to the thread just 2 weeks ago.
I use it in my current T5.1 application and it works fine!

martijn.list schrieb:
Alex Kotchnev wrote:
Christian,
   you seem to indicate that there's an easy fix for this on the mailing
list; however, the last discussion there is from around 2007; the module
that Robert is referring to is out of date (e.g. referring to old package
names, etc). Any other tips on addressing this ?

   I'm completely taken aback by such a gaping security hole in the
framework. Considering that this issue has been known since 2007, I'm
completely blown away that the framework doesn't provide a solution in T5
(not in T5.1).


I use the following code to whitelist some assets. Access to non white listed assets is denied. I have only tested it with T 5.0.18

Martijn Brinkers


private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png", "gif", "js", "css", "ico"};

/*
* All the assets that are allowed to be downloaded using the assets service (including files without extension and dirs)
 */
private static final Set<String> assetsWhitelist = Collections.synchronizedSet(
        new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));

public void contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter> configuration, @Inject @Value("${access-denied-page}") final String accessDeniedPage)
{
    /*
* Create a filter that will block access to some assets. The asset service allows access to some assets we do * not want to expose. The asset service will show all files in /assets/ directory and allows you (by default)
     * to download some files which you do not want to expose.
     */
    HttpServletRequestFilter filter = new HttpServletRequestFilter()
    {
public boolean service(HttpServletRequest request, HttpServletResponse response, HttpServletRequestHandler handler)
        throws IOException
        {
            String path = request.getServletPath();

            if (path.startsWith("/assets") && (!assetsWhitelist.contains(

StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
            {
                logger.warn("access to asset " + path + " denied");

response.sendRedirect(request.getContextPath() + "/" + accessDeniedPage);

                return true;
            }

            return handler.service(request, response);
        }
    };

    configuration.add("AssetProtectionFilter", filter , "before:*");
}





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org

Reply via email to