FYI - The following modifications to ChecksumPath prevent the
StringIndexOutOfBoundsException and allow the server to respond with a
404 error.
public ChecksumPath(ResourceStreamer streamer, String baseFolder,
String extraPath)
{
this.streamer = streamer;
int slashx = extraPath.indexOf('/');
checksum = slashx != -1 ? extraPath.substring(0, slashx) :
extraPath;
String morePath = slashx != -1 ? extraPath.substring(slashx +
1) : "";
resourcePath = baseFolder == null
? morePath
: baseFolder + "/" + morePath;
}
emailsig
On 7/23/2020 11:39 PM, David Taylor wrote:
Hello Everyone,
We are very interested in seeing the 5.6.0 update out the door and
decided to test out the patch for TAP5-2632. In the course of doing so
we found another related issue.
When the path /assets/META-INF is entered in the browser it causes a
StringIndexOutOfBoundsException in the constructor of the ChecksumPath
class since the code does not guard against the possibility that
indexOf will not find a match. Below is the offending code and the
exception.
It seems that this needs to get patched to harden the application
against bad input which is apparently very easy to devise. That was
actually the first test string entered when testing the patch. Clearly
Tapestry should not be responding to bad input with an exception.
int slashx = extraPath.indexOf('/');
java.lang.StringIndexOutOfBoundsException
begin 0, end -1, length 8
Best Regards,
David Taylor
On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
Hello, everyone!
I'd like to release Tapestry 5.6.0 as soon as possible. There's a
security
improvement and support for Java 14 bytecode. Anything else you
believe is
a blocker this release?
Here are the tickets included in the 5.6.0 release:
[image: Critical] [image: Bug] TAP5-2602
<https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
not
work with Prototype JS
<https://issues.apache.org/jira/browse/TAP5-2602> Thiago
Henrique De Paula Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
CLOSED
[image: Major] [image: Improvement] TAP5-2624
<https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
bytecode
by upgrading embedded ASM version to 8.0.1
<https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
RESOLVED
[image: Major] [image: Improvement] TAP5-2631
<https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
more
accessible with automatic generation WAI-ARIA attributes
<https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
CLOSED
[image: Major] [image: Bug] TAP5-2632
<https://issues.apache.org/jira/browse/TAP5-2632>
ContextAssetRequestHandler
doesn't handle slashes in paths correctly
<https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
RESOLVED
[image: Minor] [image: Improvement] TAP5-2626
<https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
Compiler
to latest version available (v20200628)
<https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
Paula
Figueiredo
<https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
CLOSED
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
For additional commands, e-mail: dev-h...@tapestry.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
For additional commands, e-mail: dev-h...@tapestry.apache.org
