...
Tapestry creates a new URL for assets (whether context or classpath). The URL is of the form /assets/application version number/folder/path.
- application version: Application version number: Defined , defined by symbol the
tapestry.application-version
, the default value symbol in your application module (normally AppModule.java). The default is a random hex number. - folder: Identifies the library containing the asset, or "ctx" for a context asset, or "stack" (used when combining multiple JavaScript files into a single virtual asset).
- path: The path below the root package of the library to the specific asset file.
...
- Your Login page exposes a classpath asset,
icon.png
. - A malicious client copies the URL,
/assets/1.0.0/app/pages/icon.png
,
and changes the file name toFootnote This would indicate that the Login page is actually inside a library, which is unlikely. More likely,
icon.png
is a context asset and the malicious user guessed the path forLogin.class
by looking at the Tapestry source code.Login.class
. - The client decompiles the class file and spots your secret emergency password: goodbye security!
Footnote Never create such back doors, of course!
Fortunately, this can't happen. Files with extension ".class" are secured; they must be accompanied in the URL with a query parameter that is the MD5 hash of the file's contents. If the query parameter is absent, or doesn't match the actual file's content, the request is rejected.
...