Hello, everyone!
I've just uploaded 5.6.0-SNAPSHOT to the Apache Maven staging repository to
make it easier for everyone to give it a spin without having to build from
source. Unless something really bad comes up, I should follow with putting
5.6.0 to a vote without any changes from this snapshot. My plan, which
everyone has a right to disagree, is to have major stuff deferred to 5.7.0.
Feedback of all kinds welcome, as usual.
On Mon, Jul 27, 2020 at 1:58 AM David Taylor <david.tay...@extensiatech.com>
wrote:
> Thanks. I will grab your changes and apply those to the patch we are
> using for the current release.
>
> David
>
>
> On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:
> > Thanks! I ended up fixing this is a slightly different manner and
> committed
> > the fix.
> >
> > On Fri, Jul 24, 2020 at 1:11 AM David Taylor <
> david.tay...@extensiatech.com>
> > wrote:
> >
> >> FYI - The following modifications to ChecksumPath prevent the
> >> StringIndexOutOfBoundsException and allow the server to respond with a
> >> 404 error.
> >>
> >> public ChecksumPath(ResourceStreamer streamer, String baseFolder,
> >> String extraPath)
> >> {
> >> this.streamer = streamer;
> >> int slashx = extraPath.indexOf('/');
> >>
> >> checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> >> extraPath;
> >>
> >> String morePath = slashx != -1 ? extraPath.substring(slashx +
> >> 1) : "";
> >>
> >> resourcePath = baseFolder == null
> >> ? morePath
> >> : baseFolder + "/" + morePath;
> >> }
> >>
> >>
> >>
> >> emailsig
> >> On 7/23/2020 11:39 PM, David Taylor wrote:
> >>> Hello Everyone,
> >>>
> >>> We are very interested in seeing the 5.6.0 update out the door and
> >>> decided to test out the patch for TAP5-2632. In the course of doing so
> >>> we found another related issue.
> >>>
> >>> When the path /assets/META-INF is entered in the browser it causes a
> >>> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> >>> class since the code does not guard against the possibility that
> >>> indexOf will not find a match. Below is the offending code and the
> >>> exception.
> >>>
> >>> It seems that this needs to get patched to harden the application
> >>> against bad input which is apparently very easy to devise. That was
> >>> actually the first test string entered when testing the patch. Clearly
> >>> Tapestry should not be responding to bad input with an exception.
> >>>
> >>> int slashx = extraPath.indexOf('/');
> >>>
> >>> java.lang.StringIndexOutOfBoundsException
> >>> begin 0, end -1, length 8
> >>>
> >>> Best Regards,
> >>> David Taylor
> >>>
> >>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> >>>> Hello, everyone!
> >>>>
> >>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> >>>> security
> >>>> improvement and support for Java 14 bytecode. Anything else you
> >>>> believe is
> >>>> a blocker this release?
> >>>>
> >>>> Here are the tickets included in the 5.6.0 release:
> >>>>
> >>>> [image: Critical] [image: Bug] TAP5-2602
> >>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
> >>>> not
> >>>> work with Prototype JS
> >>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> >>>> Henrique De Paula Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>> [image: Major] [image: Improvement] TAP5-2624
> >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> >>>> bytecode
> >>>> by upgrading embedded ASM version to 8.0.1
> >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> RESOLVED
> >>>> [image: Major] [image: Improvement] TAP5-2631
> >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
> >>>> more
> >>>> accessible with automatic generation WAI-ARIA attributes
> >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>> [image: Major] [image: Bug] TAP5-2632
> >>>> <https://issues.apache.org/jira/browse/TAP5-2632>
> >>>> ContextAssetRequestHandler
> >>>> doesn't handle slashes in paths correctly
> >>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> RESOLVED
> >>>> [image: Minor] [image: Improvement] TAP5-2626
> >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> >>>> Compiler
> >>>> to latest version available (v20200628)
> >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> >>> For additional commands, e-mail: dev-h...@tapestry.apache.org
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> >> For additional commands, e-mail: dev-h...@tapestry.apache.org
> >>
> >>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> For additional commands, e-mail: dev-h...@tapestry.apache.org
>
>
--
Thiago
