Thanks! I ended up fixing this is a slightly different manner and committed
the fix.
On Fri, Jul 24, 2020 at 1:11 AM David Taylor <david.tay...@extensiatech.com>
wrote:
> FYI - The following modifications to ChecksumPath prevent the
> StringIndexOutOfBoundsException and allow the server to respond with a
> 404 error.
>
> public ChecksumPath(ResourceStreamer streamer, String baseFolder,
> String extraPath)
> {
> this.streamer = streamer;
> int slashx = extraPath.indexOf('/');
>
> checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> extraPath;
>
> String morePath = slashx != -1 ? extraPath.substring(slashx +
> 1) : "";
>
> resourcePath = baseFolder == null
> ? morePath
> : baseFolder + "/" + morePath;
> }
>
>
>
> emailsig
> On 7/23/2020 11:39 PM, David Taylor wrote:
> > Hello Everyone,
> >
> > We are very interested in seeing the 5.6.0 update out the door and
> > decided to test out the patch for TAP5-2632. In the course of doing so
> > we found another related issue.
> >
> > When the path /assets/META-INF is entered in the browser it causes a
> > StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> > class since the code does not guard against the possibility that
> > indexOf will not find a match. Below is the offending code and the
> > exception.
> >
> > It seems that this needs to get patched to harden the application
> > against bad input which is apparently very easy to devise. That was
> > actually the first test string entered when testing the patch. Clearly
> > Tapestry should not be responding to bad input with an exception.
> >
> > int slashx = extraPath.indexOf('/');
> >
> > java.lang.StringIndexOutOfBoundsException
> > begin 0, end -1, length 8
> >
> > Best Regards,
> > David Taylor
> >
> > On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> >> Hello, everyone!
> >>
> >> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> >> security
> >> improvement and support for Java 14 bytecode. Anything else you
> >> believe is
> >> a blocker this release?
> >>
> >> Here are the tickets included in the 5.6.0 release:
> >>
> >> [image: Critical] [image: Bug] TAP5-2602
> >> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> >> not
> >> work with Prototype JS
> >> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> >> Henrique De Paula Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> CLOSED
> >> [image: Major] [image: Improvement] TAP5-2624
> >> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> >> bytecode
> >> by upgrading embedded ASM version to 8.0.1
> >> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> RESOLVED
> >> [image: Major] [image: Improvement] TAP5-2631
> >> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> >> more
> >> accessible with automatic generation WAI-ARIA attributes
> >> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> CLOSED
> >> [image: Major] [image: Bug] TAP5-2632
> >> <https://issues.apache.org/jira/browse/TAP5-2632>
> >> ContextAssetRequestHandler
> >> doesn't handle slashes in paths correctly
> >> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> RESOLVED
> >> [image: Minor] [image: Improvement] TAP5-2626
> >> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> >> Compiler
> >> to latest version available (v20200628)
> >> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> >> Paula
> >> Figueiredo
> >> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
> >> CLOSED
> >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> > For additional commands, e-mail: dev-h...@tapestry.apache.org
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: dev-h...@tapestry.apache.org
>
>
--
Thiago
