Versions Compared

Old Version 3

changes.mady.by.user Howard Ship

Saved on

compared with

New Version 4

changes.mady.by.user Howard Ship

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • A malicious client copies the URL, /assets/1.0.0/fooapp/pages/icon.png,
    Footnote

    This would indicate that the Login page is actually inside a library, which is unlikely. More likely, icon.png is a context asset and the malicious user guessed the path for Login.class by looking at the Tapestry source code.

    and changes the file name to Login.class.

...

When your code exposes an Asset, the URL will automatically include the query parameter if the file type is secured. The malicious user is locked out of access to the files

Footnote

Unless they already have the files so that they can generate the MD5 checksum ... to get access to the files they already have.

.

By default, Tapestry secures file extensions ".class', ".tml" and ".properties". The list can be extended by contributing to the ResourceDigestGenerator service contribution.

...