On Fri, Jul 24, 2020 at 12:39 AM David Taylor <david.tay...@extensiatech.com>
wrote:
> Hello Everyone,
>
Hello!
> We are very interested in seeing the 5.6.0 update
So do I, so I'm planning to get a release ready for voting soon.
> out the door and
> decided to test out the patch for TAP5-2632. In the course of doing so
> we found another related issue.
>
Thanks for testing!
> When the path /assets/META-INF is entered in the browser it causes a
> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> class since the code does not guard against the possibility that indexOf
> will not find a match. Below is the offending code and the exception.
>
> It seems that this needs to get patched to harden the application
> against bad input which is apparently very easy to devise. That was
> actually the first test string entered when testing the patch. Clearly
> Tapestry should not be responding to bad input with an exception.
>
> int slashx = extraPath.indexOf('/');
>
> java.lang.StringIndexOutOfBoundsException
> begin 0, end -1, length 8
>
I'll take care of that.
>
> Best Regards,
> David Taylor
>
> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> > Hello, everyone!
> >
> > I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> security
> > improvement and support for Java 14 bytecode. Anything else you believe
> is
> > a blocker this release?
> >
> > Here are the tickets included in the 5.6.0 release:
> >
> > [image: Critical] [image: Bug] TAP5-2602
> > <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> not
> > work with Prototype JS <https://issues.apache.org/jira/browse/TAP5-2602>
> Thiago
> > Henrique De Paula Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> > [image: Major] [image: Improvement] TAP5-2624
> > <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> bytecode
> > by upgrading embedded ASM version to 8.0.1
> > <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > RESOLVED
> > [image: Major] [image: Improvement] TAP5-2631
> > <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> more
> > accessible with automatic generation WAI-ARIA attributes
> > <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> > [image: Major] [image: Bug] TAP5-2632
> > <https://issues.apache.org/jira/browse/TAP5-2632>
> ContextAssetRequestHandler
> > doesn't handle slashes in paths correctly
> > <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > RESOLVED
> > [image: Minor] [image: Improvement] TAP5-2626
> > <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> Compiler
> > to latest version available (v20200628)
> > <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> Paula
> > Figueiredo
> > <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> > CLOSED
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: dev-h...@tapestry.apache.org
>
>
--
Thiago
