Tapestry
  1. Tapestry
  2. TAPESTRY-1175

security flaw - unprotected asset regexp paths allow access to other things

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 4.1.1
    • Fix Version/s: 4.1.1
    • Component/s: Framework
    • Labels:
      None
    • Environment:
      any

      Description

      As pointed out on the dev list, the current basic strings "dojo/" and "tapestry/" aren't enough to prevent access to other resources. (such as a class in a package like foo.tapestry.pages )

      Investigate using the beginning of line specifier "^" or whatever else works. This definitely needs to be fixed before 4.1.1 goes out.

        Activity

        Hide
        Jesse Kuhnert added a comment -

        Fixed via suggestion of "^" begin of line regexp.

        Show
        Jesse Kuhnert added a comment - Fixed via suggestion of "^" begin of line regexp.

          People

          • Assignee:
            Jesse Kuhnert
            Reporter:
            Jesse Kuhnert
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development