[TAP5-815] Asset dispatcher allows any file inside the webapp visible and downloadable - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Invalid
Affects Version/s: 5.1.0.6
Fix Version/s: 5.2.0, 5.0.19
Component/s: None
Labels:
None

Description

Take any asset and you have an URL like domain.com/assets/ctx/f10407a6c1753e39/css/main.css. If you request domain.com/assets/ctx/f10407a6c1753e39/, a list containing all the files inside the webapp root is shown. It gives you the hint at downloading any file you want, including anyting inside WEB-INF and assets that should be protected by ResourceDigestGenerator.

Attachments

Activity

People

Assignee:: Massimo Lusetti

Reporter:: Thiago Henrique De Paula Figueiredo

Votes:: 31 Vote for this issue

Watchers:: 24 Start watching this issue

Dates

Created:: 15/Aug/09 12:21

Updated:: 19/Oct/11 08:53

Resolved:: 19/Oct/11 08:53