cancel
Showing results for 
Search instead for 
Did you mean: 

Configuration of AppCacheBusterFilter

Khairwa
Explorer
0 Kudos

Dear All,

Configuration of   AppCacheBusterFilter in web.xml is:

<filter>

    <display-name>AppCacheBusterFilter</display-name>

    <filter-name>AppCacheBusterFilter</filter-name>

    <filter-class>com.sap.ui5.resource.AppCacheBusterFilter</filter-class>

  </filter>

  <filter-mapping>

    <filter-name>AppCacheBusterFilter</filter-name>

    <url-pattern>/*</url-pattern>

  </filter-mapping>

Problem here is that now folder WEB-INF is accessible in URLs.

can anyone point out any configuration issues.

regds

Rajesh Khairwa

View Entire Topic
former_member182372
Active Contributor
0 Kudos

What exactly is a problem?

AppCacheBusterFilter config is easy - just filter and mapping (same as you posted)

Khairwa
Explorer
0 Kudos

Hi Maksim,

In Tomcat server WEB-INF folder is not accessible directly through url.

Example: http://myapp/WEB-INF/web.xml throws http error code 404.

But after activating this filter, WEB-INF folder contents can be accessed by url.

Example: http://myapp/~434447778~/WEB-INF/web.xml displays contents of web.xml file.

This is a possible vulnerability.

How can we fix it.

Kherwa

former_member182372
Active Contributor
0 Kudos

REALLY??

in the code I see

    private void buildResourceIndex(ServletContext context, ResourceLocator locator, String parentResourcePath, Map infoJsonMap)

    {

        Set s = context.getResourcePaths(parentResourcePath);

        Iterator it = s.iterator();

        do

        {

            if(!it.hasNext())                break;

            String resourcePath = (String)it.next();

            if(!"/META-INF/".equals(resourcePath) && !"/WEB-INF/".equals(resourcePath) && !"/OSGI-INF/".equals(resourcePath))

            {

former_member182372
Active Contributor
0 Kudos

check what values are in sap-ui-cachebuster-info.json (in browser dev tools - Network )

Khairwa
Explorer
0 Kudos

sap-ui-cachebuster-info.json file attached as text file.


i think,above code creates this "sap-ui-cachebuster-info.json" file, but  doFilter method doesn't use above resource index while serving content.

So, url's containing WEB-INF/META-INF doesn't get filtered out.