Benny,
   indeed that would be the case for a "traditional" web framework that
serves web application assets (e.g. stylesheets, images, javascript) only
from the publicly available directories (e.g. outside of WEB-INF). However,
because of T5's component nature , if you deployed a component (e.g. as a
jar in the web app) it might need to access assets from the classpath (e.g.
from the component jar). Hence, currently there is a wide gaping security
whole in a "stock" T5 application's Asset service, that it can access any
files on the classpath (e.g. property files, .tml source, etc). There is an
issue filed for this , some improvements in T5.1, and a few decent solutions
(as the posting above mentions), but the framework is still very vulnerable.


Cheers,

Alex K

On Thu, Sep 10, 2009 at 8:56 AM, Benny Law <benny.mk....@gmail.com> wrote:

> Pardon me if I am mistaken, but shouldn't .class and .tml files be under
> WEB-INF and hence inaccessible automatically?
>
> Benny
>
> On Thu, Sep 10, 2009 at 2:52 AM, martijn.list <martijn.l...@gmail.com
> >wrote:
>
> > Angelo Chen wrote:
> >
> >> how to close access to ".class" and ".tml"?
> >>
> >>
> >
> > This has been posted to the list multiple times so I another time
> wouldn't
> > hurt ;)
> >
> >
> > I use the following code to whitelist some assets. Access to non white
> > listed assets is denied.
> >
> > Add to your application module:
> >
> >
> > private static final String[] ASSET_WHITE_LIST = {"jpg", "jpeg", "png",
> > "gif", "js", "css", "ico"};
> >
> > /*
> >  * All the assets that are allowed to be downloaded using the assets
> > service (including files without extension and dirs)
> >  */
> > private static final Set<String> assetsWhitelist =
> > Collections.synchronizedSet(
> >        new HashSet<String>(Arrays.asList(ASSET_WHITE_LIST)));
> >
> > public void
> >
> contributeHttpServletRequestHandler(OrderedConfiguration<HttpServletRequestFilter>
> > configuration,
> >        @Inject @Value("${access-denied-page}") final String
> > accessDeniedPage)
> > {
> >    /*
> >     * Create a filter that will block access to some assets. The asset
> > service allows access to some assets we do
> >     * not want to expose. The asset service will show all files in
> /assets/
> > directory and allows you (by default)
> >     * to download some files which you do not want to expose.
> >     */
> >    HttpServletRequestFilter filter = new HttpServletRequestFilter()
> >    {
> >        public boolean service(HttpServletRequest request,
> > HttpServletResponse response, HttpServletRequestHandler handler)
> >        throws IOException
> >        {
> >            String path = request.getServletPath();
> >
> >            if (path.startsWith("/assets") && (!assetsWhitelist.contains(
> >
> > StringUtils.lowerCase(FilenameUtils.getExtension(path)))))
> >            {
> >                logger.warn("access to asset " + path + " denied");
> >
> >                response.sendRedirect(request.getContextPath() + "/" +
> > accessDeniedPage);
> >
> >                return true;
> >            }
> >
> >            return handler.service(request, response);
> >        }
> >    };
> >
> >    configuration.add("AssetProtectionFilter", filter , "before:*");
> > }
> >
> >
> >
> >> Sergey Didenko wrote:
> >>
> >>> BTW, it's worth to remind again everyone who is going to publish their
> >>> site urls, to close the access to ".class" and ".tml" files .
> >>>
> >>> On Tue, Sep 8, 2009 at 6:46 PM, Massimo Lusetti <mluse...@gmail.com>
> >>> wrote:
> >>>
> >>>> On Tue, Sep 8, 2009 at 5:27 PM, Thiago H. de Paula
> >>>> Figueiredo<thiag...@gmail.com> wrote:
> >>>>
> >>>>  Hi!
> >>>>>
> >>>>> I guess this was already discussed some time ago, but I couldn't find
> >>>>> it. :(
> >>>>> Anyway, it's been a long time, so let's get it started again. ;)
> >>>>>
> >>>>> Tapestry is a wonderful framework, but it isn't the best known one
> >>>>> around.
> >>>>> Sometimes, managers ask us to provide some projects/sites/success
> >>>>> stories/etc using it so they can be more confident about Tapestry.
> >>>>> There's a
> >>>>> Success Stories page in the wiki
> >>>>> (http://wiki.apache.org/tapestry/SuccessStories), but it hasn't had
> >>>>> any
> >>>>> edit
> >>>>> since 2007-10-05.
> >>>>>
> >>>>> What about sharing your success stories with us, promoting Tapestry
> >>>>> (specially T5)? If the project is a public website, please post the
> URL
> >>>>> here. I think we should have a list of Tapestry-powered sites.
> >>>>>
> >>>>> Thanks in advance.
> >>>>>
> >>>> It would be great to have that page more up to date but i remember
> >>>> Howard asking for "private" user stories and more then one have
> >>>> replied him even personally so i guess if that would make sense too to
> >>>> have that stories online.
> >>>> Do i remember correctly Howard?
> >>>>
> >>>> --
> >>>> Massimo
> >>>> http://meridio.blogspot.com
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> >>>> For additional commands, e-mail: users-h...@tapestry.apache.org
> >>>>
> >>>>
> >>>>  ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> >>> For additional commands, e-mail: users-h...@tapestry.apache.org
> >>>
> >>>
> >>>
> >>>
> >>
> >
> > --
> > Djigzo open source email encryption
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> > For additional commands, e-mail: users-h...@tapestry.apache.org
> >
> >
>

Reply via email to