[jira] Closed: (TAP5-1057) XSS vulnerability in calendar component
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christophe Cordenier closed TAP5-1057. -- Resolution: Fixed Clone instead re-opening. XSS vulnerability in calendar component --- Key: TAP5-1057 URL: https://issues.apache.org/jira/browse/TAP5-1057 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: François Facon Assignee: Christophe Cordenier Fix For: 5.2.0 Attachments: datefield_js.patch, datefield_js.patch The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield . To reproduce the vulnerability, put js code like scriptalert(T5 is great); /script in any datefield and click on the related calendar bitma After quick search in the DateField.js, it seems like the field value is not escaping escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (TAP5-1262) XSS vulnerability in calendar component (apply to 5.1.0.x)
XSS vulnerability in calendar component (apply to 5.1.0.x) -- Key: TAP5-1262 URL: https://issues.apache.org/jira/browse/TAP5-1262 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: Christophe Cordenier Assignee: Christophe Cordenier Fix For: 5.2.0 The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield . To reproduce the vulnerability, put js code like scriptalert(T5 is great); /script in any datefield and click on the related calendar bitma After quick search in the DateField.js, it seems like the field value is not escaping escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-673) An intercepted response causes the error java.lang.IllegalStateException: WRITER in gzip compressed pages
[
https://issues.apache.org/jira/browse/TAP5-673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12905036#action_12905036
]
Peter Stavrinides commented on TAP5-673:
I will have a go to recreate the error, but it improbable now, or will be very
hard to reproduce as the issue is more than a year old.
An intercepted response causes the error java.lang.IllegalStateException:
WRITER in gzip compressed pages
---
Key: TAP5-673
URL: https://issues.apache.org/jira/browse/TAP5-673
Project: Tapestry 5
Issue Type: Bug
Affects Versions: 5.1.0.4
Reporter: Peter Stavrinides
A small piece of code Inside of a standard tapestry RequestFilter:
// the user is logged in but does not have access to the
// requested resource
if (!hasAccess) {
logger_.warn(The user + sessionAccess
.getUserSecurityManager().getUserFullName()
+ attempted to access
a protected resource:
+ path);
response.sendError(HttpServletResponse.SC_FORBIDDEN,
Access to the
requested resource is denied);
return true;
}
Causes this error:
Stack Trace:
ERROR - WRITER
- com.albourne.web.services.SiteRequestExceptionHandler (?)
java.lang.IllegalStateException: WRITER
at org.mortbay.jetty.Response.getOutputStream(Response.java:573)
at
org.apache.tapestry5.internal.gzip.BufferedGZipOutputStream.openResponseOutputStream(BufferedGZipOutputStream.java:75)
at
org.apache.tapestry5.internal.gzip.BufferedGZipOutputStream.forceOutputStream(BufferedGZipOutputStream.java:137)
at
org.apache.tapestry5.internal.gzip.BufferedGZipOutputStream.close(BufferedGZipOutputStream.java:131)
at sun.nio.cs.StreamEncoder.implClose(StreamEncoder.java:301)
at sun.nio.cs.StreamEncoder.close(StreamEncoder.java:130)
at java.io.OutputStreamWriter.close(OutputStreamWriter.java:216)
at java.io.BufferedWriter.close(BufferedWriter.java:248)
at java.io.PrintWriter.close(PrintWriter.java:295)
at
org.apache.tapestry5.internal.services.PageResponseRendererImpl.renderPageResponse(PageResponseRendererImpl.java:80)
at
$PageResponseRenderer_120f158d8a3.renderPageResponse($PageResponseRenderer_120f158d8a3.java)
at
org.apache.tapestry5.internal.services.PageRenderRequestHandlerImpl.handle(PageRenderRequestHandlerImpl.java:63)
at
org.apache.tapestry5.services.TapestryModule$33.handle(TapestryModule.java:1948)
at
$PageRenderRequestHandler_120f158d8a4.handle($PageRenderRequestHandler_120f158d8a4.java)
at
$PageRenderRequestHandler_120f158d88f.handle($PageRenderRequestHandler_120f158d88f.java)
at
org.apache.tapestry5.internal.services.ComponentRequestHandlerTerminator.handlePageRender(ComponentRequestHandlerTerminator.java:48)
at
$ComponentRequestHandler_120f158d894.handlePageRender($ComponentRequestHandler_120f158d894.java)
at
org.apache.tapestry5.internal.services.PageRenderDispatcher.dispatch(PageRenderDispatcher.java:45)
at $Dispatcher_120f158d897.dispatch($Dispatcher_120f158d897.java)
at $Dispatcher_120f158d88a.dispatch($Dispatcher_120f158d88a.java)
at
org.apache.tapestry5.services.TapestryModule$RequestHandlerTerminator.service(TapestryModule.java:250)
at
com.albourne.web.services.PageAccessController.service(PageAccessController.java:199)
at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java)
at com.albourne.web.services.AppModule$3.service(AppModule.java:209)
at $RequestFilter_120f158d889.service($RequestFilter_120f158d889.java)
at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java)
at
org.apache.tapestry5.internal.services.RequestErrorFilter.service(RequestErrorFilter.java:26)
at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java)
at
org.apache.tapestry5.services.TapestryModule$4.service(TapestryModule.java:783)
at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java)
at
org.apache.tapestry5.services.TapestryModule$3.service(TapestryModule.java:772)
at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java)
at
org.apache.tapestry5.internal.services.StaticFilesFilter.service(StaticFilesFilter.java:85)
at
svn commit: r991651 - in /tapestry/tapestry5/trunk/tapestry-ioc/src: main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java test/java/org/apache/tapestry5/ioc/internal/service
Author: hlship
Date: Wed Sep 1 18:57:32 2010
New Revision: 991651
URL: http://svn.apache.org/viewvc?rev=991651view=rev
Log:
Handle the unlikely case where an exception includes a property that is the
same exception (i.e., detect the infinite loop)
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java?rev=991651r1=991650r2=991651view=diff
==
---
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java
Wed Sep 1 18:57:32 2010
@@ -128,7 +128,13 @@ public class ExceptionAnalyzerImpl imple
if (cause == null
Throwable.class.isAssignableFrom(pa.getType()))
{
// Ignore the property, but track it as the cause.
-cause = (Throwable) pa.get(t);
+
+Throwable nestedException = (Throwable) pa.get(t);
+
+// Handle the case where an exception is its own cause (avoid
endless loop!)
+if (t != nestedException)
+cause = nestedException;
+
continue;
}
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java?rev=991651r1=991650r2=991651view=diff
==
---
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java
Wed Sep 1 18:57:32 2010
@@ -179,4 +179,37 @@ public class ExceptionAnalyzerImplTest e
assertEquals(ei.getProperty(code), 0099);
}
+@SuppressWarnings(all)
+public static class SelfCausedException extends RuntimeException
+{
+public SelfCausedException(String message)
+{
+super(message);
+}
+
+public Throwable getCause()
+{
+return this;
+}
+}
+
+@Test
+public void exception_that_is_its_own_cause()
+{
+String message = Hey! We've Got Not Tomatoes!;
+
+Throwable t = new SelfCausedException(message);
+
+ExceptionAnalysis ea = analyzer.analyze(t);
+
+assertEquals(ea.getExceptionInfos().size(), 1);
+
+ExceptionInfo ei = ea.getExceptionInfos().get(0);
+
+assertEquals(ei.getClassName(), SelfCausedException.class.getName());
+assertEquals(ei.getMessage(), message);
+
+assertTrue(ei.getPropertyNames().isEmpty());
+assertFalse(ei.getStackTrace().isEmpty());
+}
}
svn commit: r991652 - in /tapestry/tapestry5/trunk/tapestry-ioc/src: main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java test/java/org/apache/tapestry5/ioc/ReloadTest.java
Author: hlship
Date: Wed Sep 1 18:57:38 2010
New Revision: 991652
URL: http://svn.apache.org/viewvc?rev=991652view=rev
Log:
Add a few simplifications to service reloading, and don't bother to track time
modified of inner classes
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/ReloadTest.java
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java?rev=991652r1=991651r2=991652view=diff
==
---
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
Wed Sep 1 18:57:38 2010
@@ -68,8 +68,6 @@ public abstract class AbstractReloadable
private final String implementationClassName;
-private final String packageName;
-
private final String classFilePath;
private final Logger logger;
@@ -78,14 +76,16 @@ public abstract class AbstractReloadable
private final URLChangeTracker changeTracker = new URLChangeTracker();
-private Object instance;
+/**
+ * The set of class names that should be loaded by the class loader. This
is necessary to support
+ * reloading the class when a base class changes, and to properly support
access to protected methods.
+ */
+private final SetString classesToLoad = CollectionFactory.newSet();
-private File classFile;
+private Object instance;
private boolean firstTime = true;
-private final SetString classesToLoad = CollectionFactory.newSet();
-
protected AbstractReloadableObjectCreator(ClassLoader baseClassLoader,
String implementationClassName,
Logger logger, OperationTracker tracker)
{
@@ -94,18 +94,9 @@ public abstract class AbstractReloadable
this.logger = logger;
this.tracker = tracker;
-packageName = toPackageName(implementationClassName);
-
classFilePath =
ClassFabUtils.getPathForClassNamed(implementationClassName);
}
-private String toPackageName(String name)
-{
-int dotx = name.lastIndexOf('.');
-
-return dotx 0 ? : name.substring(0, dotx);
-}
-
public synchronized void checkForUpdates()
{
if (instance == null)
@@ -119,7 +110,6 @@ public abstract class AbstractReloadable
implementationClassName));
instance = null;
-classFile = null;
changeTracker.clear();
}
@@ -137,8 +127,6 @@ public abstract class AbstractReloadable
{
public Object invoke()
{
-updateTrackingInfo();
-
Class reloadedClass = reloadImplementationClass();
return createInstance(reloadedClass);
@@ -201,18 +189,6 @@ public abstract class AbstractReloadable
return result;
}
-private void updateTrackingInfo()
-{
-URL url = baseClassLoader.getResource(classFilePath);
-
-if (url == null)
-throw new RuntimeException(String.format(
-Unable to reload class %s as it has been deleted. You may
need to restart the application.,
-implementationClassName));
-
-classFile = ClassFabUtils.toFileFromFileProtocolURL(url);
-}
-
private boolean shouldLoadClassNamed(String name)
{
return classesToLoad.contains(name);
@@ -250,7 +226,6 @@ public abstract class AbstractReloadable
add(nc.getName());
}
-
ctClass.instrument(new ExprEditor()
{
public void edit(ConstructorCall c) throws CannotCompileException
@@ -278,6 +253,9 @@ public abstract class AbstractReloadable
private void trackClassFileChanges(String className)
{
+if (isInnerClassName(className))
+return;
+
String path = ClassFabUtils.getPathForClassNamed(className);
URL url = baseClassLoader.getResource(path);
@@ -287,6 +265,11 @@ public abstract class AbstractReloadable
changeTracker.add(url);
}
+private boolean isInnerClassName(String className)
+{
+return className.indexOf('$') = 0;
+}
+
/** Is the class an inner class of some other class already marked to be
loaded by the special class loader? */
private boolean isInnerClass(String className)
{
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/ReloadTest.java
URL:
svn commit: r991653 - in /tapestry/tapestry5/trunk/tapestry-ioc/src: main/java/org/apache/tapestry5/ioc/internal/ main/java/org/apache/tapestry5/ioc/internal/util/ test/java/org/apache/tapestry5/ioc/i
Author: hlship
Date: Wed Sep 1 18:57:43 2010
New Revision: 991653
URL: http://svn.apache.org/viewvc?rev=991653view=rev
Log:
Add a number of optimizations to live service reloading logic, to reduce the
number of file time modified checks
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java
tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/util/URLChangeTrackerTest.java
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java?rev=991653r1=991652r2=991653view=diff
==
---
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java
Wed Sep 1 18:57:43 2010
@@ -177,18 +177,6 @@ public abstract class AbstractReloadable
}
}
-private URL getURLForClass(String className) throws ClassNotFoundException
-{
-String path = ClassFabUtils.getPathForClassNamed(className);
-
-URL result = baseClassLoader.getResource(path);
-
-if (result == null)
-throw new ClassNotFoundException(String.format(Unable to locate
URL for class %s., className));
-
-return result;
-}
-
private boolean shouldLoadClassNamed(String name)
{
return classesToLoad.contains(name);
@@ -260,9 +248,8 @@ public abstract class AbstractReloadable
URL url = baseClassLoader.getResource(path);
-// This does nothing unless the URL is non-null and file protocol
-
-changeTracker.add(url);
+if (url != null url.getProtocol().equals(file))
+changeTracker.add(url);
}
private boolean isInnerClassName(String className)
@@ -270,14 +257,6 @@ public abstract class AbstractReloadable
return className.indexOf('$') = 0;
}
-/** Is the class an inner class of some other class already marked to be
loaded by the special class loader? */
-private boolean isInnerClass(String className)
-{
-int dollarx = className.indexOf($);
-
-return dollarx 0 ? false :
classesToLoad.contains(className.substring(0, dollarx));
-}
-
/** Does nothing. */
public void start(ClassPool pool) throws NotFoundException,
CannotCompileException
{
Modified:
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java
URL:
http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java?rev=991653r1=991652r2=991653view=diff
==
---
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java
(original)
+++
tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java
Wed Sep 1 18:57:43 2010
@@ -38,23 +38,25 @@ public class URLChangeTracker
private final boolean granularitySeconds;
+private final boolean trackFolderChanges;
+
private final ClasspathURLConverter classpathURLConverter;
-private static final ClasspathURLConverter DEFAULT_CONVERTER = new
ClasspathURLConverterImpl();
+public static final ClasspathURLConverter DEFAULT_CONVERTER = new
ClasspathURLConverterImpl();
/**
* Creates a tracker using the default (does nothing) URL converter, with
default (millisecond)
- * granularity.
+ * granularity and folder tracking disabled.
*
* @since 5.2.1
*/
public URLChangeTracker()
{
-this(DEFAULT_CONVERTER);
+this(DEFAULT_CONVERTER, false, false);
}
/**
- * Creates a new URL change tracker with millisecond-level granularity.
+ * Creates a new URL change tracker with millisecond-level granularity and
folder checking enabled.
*
* @param classpathURLConverter
*used to convert URLs from one protocol to another
@@ -66,7 +68,8 @@ public class URLChangeTracker
}
/**
- * Creates a new URL change tracker, using either millisecond-level
granularity or second-level granularity.
+ * Creates a new URL change tracker, using either millisecond-level
granularity or second-level granularity and
+ * folder checking enabled.
*
* @param classpathURLConverter
*
[jira] Created: (TAP5-1263) private methods in class heirarchy override each other with @SetupRender annotation
private methods in class heirarchy override each other with @SetupRender
annotation
---
Key: TAP5-1263
URL: https://issues.apache.org/jira/browse/TAP5-1263
Project: Tapestry 5
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.1.0.5
Reporter: Paul Stanton
I've found a strange issue with the @SetupRender annotation when used in a
class hierarchy.
Typically, in java 2 classes within a hierarchy can have the same signature for
a private method and not effect each other, so I would expect this to be the
case when both of these private methods are annotated with @SetupRender.
Therefore the output for case 1 and case 2 (below) should be the same and print
both messages setupRender2, setupRender1.
However case 1 only prints setupRender2 meaning it somehow overwrites the
method in it's implementing class.
This is concerning because
1. there should never be a requirement that a sub-class knows of it's
super-classes implementation
2. if hierarchy does come into play, the subclass should override the super
class.
CASE 1:
--
public abstract class StartBase {
@SetupRender
private void init() {
log.debug(setupRender2);
}
}
public class Start extends StartBase {
@SetupRender
private void init() {
log.debug(setupRender1);
}
}
CASE 2:
--
public abstract class StartBase {
@SetupRender
private void init2() {
log.debug(setupRender2);
}
}
public class Start extends StartBase {
@SetupRender
private void init1() {
log.debug(setupRender1);
}
}
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
