[jira] Closed: (TAP5-1057) XSS vulnerability in calendar component
[ https://issues.apache.org/jira/browse/TAP5-1057?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Christophe Cordenier closed TAP5-1057. -- Resolution: Fixed Clone instead re-opening. XSS vulnerability in calendar component --- Key: TAP5-1057 URL: https://issues.apache.org/jira/browse/TAP5-1057 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: François Facon Assignee: Christophe Cordenier Fix For: 5.2.0 Attachments: datefield_js.patch, datefield_js.patch The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield . To reproduce the vulnerability, put js code like scriptalert(T5 is great); /script in any datefield and click on the related calendar bitma After quick search in the DateField.js, it seems like the field value is not escaping escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Created: (TAP5-1262) XSS vulnerability in calendar component (apply to 5.1.0.x)
XSS vulnerability in calendar component (apply to 5.1.0.x) -- Key: TAP5-1262 URL: https://issues.apache.org/jira/browse/TAP5-1262 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: Christophe Cordenier Assignee: Christophe Cordenier Fix For: 5.2.0 The calendar component provided in tapestry 5.1.0.5 could be used to allow code injection by malicious web users into any page that uses datefield . To reproduce the vulnerability, put js code like scriptalert(T5 is great); /script in any datefield and click on the related calendar bitma After quick search in the DateField.js, it seems like the field value is not escaping escaping with a change like var value = escape($F(this.field)); the field value seems solve this vulnerability. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (TAP5-673) An intercepted response causes the error java.lang.IllegalStateException: WRITER in gzip compressed pages
[ https://issues.apache.org/jira/browse/TAP5-673?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12905036#action_12905036 ] Peter Stavrinides commented on TAP5-673: I will have a go to recreate the error, but it improbable now, or will be very hard to reproduce as the issue is more than a year old. An intercepted response causes the error java.lang.IllegalStateException: WRITER in gzip compressed pages --- Key: TAP5-673 URL: https://issues.apache.org/jira/browse/TAP5-673 Project: Tapestry 5 Issue Type: Bug Affects Versions: 5.1.0.4 Reporter: Peter Stavrinides A small piece of code Inside of a standard tapestry RequestFilter: // the user is logged in but does not have access to the // requested resource if (!hasAccess) { logger_.warn(The user + sessionAccess .getUserSecurityManager().getUserFullName() + attempted to access a protected resource: + path); response.sendError(HttpServletResponse.SC_FORBIDDEN, Access to the requested resource is denied); return true; } Causes this error: Stack Trace: ERROR - WRITER - com.albourne.web.services.SiteRequestExceptionHandler (?) java.lang.IllegalStateException: WRITER at org.mortbay.jetty.Response.getOutputStream(Response.java:573) at org.apache.tapestry5.internal.gzip.BufferedGZipOutputStream.openResponseOutputStream(BufferedGZipOutputStream.java:75) at org.apache.tapestry5.internal.gzip.BufferedGZipOutputStream.forceOutputStream(BufferedGZipOutputStream.java:137) at org.apache.tapestry5.internal.gzip.BufferedGZipOutputStream.close(BufferedGZipOutputStream.java:131) at sun.nio.cs.StreamEncoder.implClose(StreamEncoder.java:301) at sun.nio.cs.StreamEncoder.close(StreamEncoder.java:130) at java.io.OutputStreamWriter.close(OutputStreamWriter.java:216) at java.io.BufferedWriter.close(BufferedWriter.java:248) at java.io.PrintWriter.close(PrintWriter.java:295) at org.apache.tapestry5.internal.services.PageResponseRendererImpl.renderPageResponse(PageResponseRendererImpl.java:80) at $PageResponseRenderer_120f158d8a3.renderPageResponse($PageResponseRenderer_120f158d8a3.java) at org.apache.tapestry5.internal.services.PageRenderRequestHandlerImpl.handle(PageRenderRequestHandlerImpl.java:63) at org.apache.tapestry5.services.TapestryModule$33.handle(TapestryModule.java:1948) at $PageRenderRequestHandler_120f158d8a4.handle($PageRenderRequestHandler_120f158d8a4.java) at $PageRenderRequestHandler_120f158d88f.handle($PageRenderRequestHandler_120f158d88f.java) at org.apache.tapestry5.internal.services.ComponentRequestHandlerTerminator.handlePageRender(ComponentRequestHandlerTerminator.java:48) at $ComponentRequestHandler_120f158d894.handlePageRender($ComponentRequestHandler_120f158d894.java) at org.apache.tapestry5.internal.services.PageRenderDispatcher.dispatch(PageRenderDispatcher.java:45) at $Dispatcher_120f158d897.dispatch($Dispatcher_120f158d897.java) at $Dispatcher_120f158d88a.dispatch($Dispatcher_120f158d88a.java) at org.apache.tapestry5.services.TapestryModule$RequestHandlerTerminator.service(TapestryModule.java:250) at com.albourne.web.services.PageAccessController.service(PageAccessController.java:199) at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java) at com.albourne.web.services.AppModule$3.service(AppModule.java:209) at $RequestFilter_120f158d889.service($RequestFilter_120f158d889.java) at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java) at org.apache.tapestry5.internal.services.RequestErrorFilter.service(RequestErrorFilter.java:26) at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java) at org.apache.tapestry5.services.TapestryModule$4.service(TapestryModule.java:783) at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java) at org.apache.tapestry5.services.TapestryModule$3.service(TapestryModule.java:772) at $RequestHandler_120f158d88b.service($RequestHandler_120f158d88b.java) at org.apache.tapestry5.internal.services.StaticFilesFilter.service(StaticFilesFilter.java:85) at
svn commit: r991651 - in /tapestry/tapestry5/trunk/tapestry-ioc/src: main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java test/java/org/apache/tapestry5/ioc/internal/service
Author: hlship Date: Wed Sep 1 18:57:32 2010 New Revision: 991651 URL: http://svn.apache.org/viewvc?rev=991651view=rev Log: Handle the unlikely case where an exception includes a property that is the same exception (i.e., detect the infinite loop) Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java?rev=991651r1=991650r2=991651view=diff == --- tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java (original) +++ tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImpl.java Wed Sep 1 18:57:32 2010 @@ -128,7 +128,13 @@ public class ExceptionAnalyzerImpl imple if (cause == null Throwable.class.isAssignableFrom(pa.getType())) { // Ignore the property, but track it as the cause. -cause = (Throwable) pa.get(t); + +Throwable nestedException = (Throwable) pa.get(t); + +// Handle the case where an exception is its own cause (avoid endless loop!) +if (t != nestedException) +cause = nestedException; + continue; } Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java?rev=991651r1=991650r2=991651view=diff == --- tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java (original) +++ tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/services/ExceptionAnalyzerImplTest.java Wed Sep 1 18:57:32 2010 @@ -179,4 +179,37 @@ public class ExceptionAnalyzerImplTest e assertEquals(ei.getProperty(code), 0099); } +@SuppressWarnings(all) +public static class SelfCausedException extends RuntimeException +{ +public SelfCausedException(String message) +{ +super(message); +} + +public Throwable getCause() +{ +return this; +} +} + +@Test +public void exception_that_is_its_own_cause() +{ +String message = Hey! We've Got Not Tomatoes!; + +Throwable t = new SelfCausedException(message); + +ExceptionAnalysis ea = analyzer.analyze(t); + +assertEquals(ea.getExceptionInfos().size(), 1); + +ExceptionInfo ei = ea.getExceptionInfos().get(0); + +assertEquals(ei.getClassName(), SelfCausedException.class.getName()); +assertEquals(ei.getMessage(), message); + +assertTrue(ei.getPropertyNames().isEmpty()); +assertFalse(ei.getStackTrace().isEmpty()); +} }
svn commit: r991652 - in /tapestry/tapestry5/trunk/tapestry-ioc/src: main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java test/java/org/apache/tapestry5/ioc/ReloadTest.java
Author: hlship Date: Wed Sep 1 18:57:38 2010 New Revision: 991652 URL: http://svn.apache.org/viewvc?rev=991652view=rev Log: Add a few simplifications to service reloading, and don't bother to track time modified of inner classes Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/ReloadTest.java Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java?rev=991652r1=991651r2=991652view=diff == --- tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java (original) +++ tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java Wed Sep 1 18:57:38 2010 @@ -68,8 +68,6 @@ public abstract class AbstractReloadable private final String implementationClassName; -private final String packageName; - private final String classFilePath; private final Logger logger; @@ -78,14 +76,16 @@ public abstract class AbstractReloadable private final URLChangeTracker changeTracker = new URLChangeTracker(); -private Object instance; +/** + * The set of class names that should be loaded by the class loader. This is necessary to support + * reloading the class when a base class changes, and to properly support access to protected methods. + */ +private final SetString classesToLoad = CollectionFactory.newSet(); -private File classFile; +private Object instance; private boolean firstTime = true; -private final SetString classesToLoad = CollectionFactory.newSet(); - protected AbstractReloadableObjectCreator(ClassLoader baseClassLoader, String implementationClassName, Logger logger, OperationTracker tracker) { @@ -94,18 +94,9 @@ public abstract class AbstractReloadable this.logger = logger; this.tracker = tracker; -packageName = toPackageName(implementationClassName); - classFilePath = ClassFabUtils.getPathForClassNamed(implementationClassName); } -private String toPackageName(String name) -{ -int dotx = name.lastIndexOf('.'); - -return dotx 0 ? : name.substring(0, dotx); -} - public synchronized void checkForUpdates() { if (instance == null) @@ -119,7 +110,6 @@ public abstract class AbstractReloadable implementationClassName)); instance = null; -classFile = null; changeTracker.clear(); } @@ -137,8 +127,6 @@ public abstract class AbstractReloadable { public Object invoke() { -updateTrackingInfo(); - Class reloadedClass = reloadImplementationClass(); return createInstance(reloadedClass); @@ -201,18 +189,6 @@ public abstract class AbstractReloadable return result; } -private void updateTrackingInfo() -{ -URL url = baseClassLoader.getResource(classFilePath); - -if (url == null) -throw new RuntimeException(String.format( -Unable to reload class %s as it has been deleted. You may need to restart the application., -implementationClassName)); - -classFile = ClassFabUtils.toFileFromFileProtocolURL(url); -} - private boolean shouldLoadClassNamed(String name) { return classesToLoad.contains(name); @@ -250,7 +226,6 @@ public abstract class AbstractReloadable add(nc.getName()); } - ctClass.instrument(new ExprEditor() { public void edit(ConstructorCall c) throws CannotCompileException @@ -278,6 +253,9 @@ public abstract class AbstractReloadable private void trackClassFileChanges(String className) { +if (isInnerClassName(className)) +return; + String path = ClassFabUtils.getPathForClassNamed(className); URL url = baseClassLoader.getResource(path); @@ -287,6 +265,11 @@ public abstract class AbstractReloadable changeTracker.add(url); } +private boolean isInnerClassName(String className) +{ +return className.indexOf('$') = 0; +} + /** Is the class an inner class of some other class already marked to be loaded by the special class loader? */ private boolean isInnerClass(String className) { Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/ReloadTest.java URL:
svn commit: r991653 - in /tapestry/tapestry5/trunk/tapestry-ioc/src: main/java/org/apache/tapestry5/ioc/internal/ main/java/org/apache/tapestry5/ioc/internal/util/ test/java/org/apache/tapestry5/ioc/i
Author: hlship Date: Wed Sep 1 18:57:43 2010 New Revision: 991653 URL: http://svn.apache.org/viewvc?rev=991653view=rev Log: Add a number of optimizations to live service reloading logic, to reduce the number of file time modified checks Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java tapestry/tapestry5/trunk/tapestry-ioc/src/test/java/org/apache/tapestry5/ioc/internal/util/URLChangeTrackerTest.java Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java?rev=991653r1=991652r2=991653view=diff == --- tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java (original) +++ tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/AbstractReloadableObjectCreator.java Wed Sep 1 18:57:43 2010 @@ -177,18 +177,6 @@ public abstract class AbstractReloadable } } -private URL getURLForClass(String className) throws ClassNotFoundException -{ -String path = ClassFabUtils.getPathForClassNamed(className); - -URL result = baseClassLoader.getResource(path); - -if (result == null) -throw new ClassNotFoundException(String.format(Unable to locate URL for class %s., className)); - -return result; -} - private boolean shouldLoadClassNamed(String name) { return classesToLoad.contains(name); @@ -260,9 +248,8 @@ public abstract class AbstractReloadable URL url = baseClassLoader.getResource(path); -// This does nothing unless the URL is non-null and file protocol - -changeTracker.add(url); +if (url != null url.getProtocol().equals(file)) +changeTracker.add(url); } private boolean isInnerClassName(String className) @@ -270,14 +257,6 @@ public abstract class AbstractReloadable return className.indexOf('$') = 0; } -/** Is the class an inner class of some other class already marked to be loaded by the special class loader? */ -private boolean isInnerClass(String className) -{ -int dollarx = className.indexOf($); - -return dollarx 0 ? false : classesToLoad.contains(className.substring(0, dollarx)); -} - /** Does nothing. */ public void start(ClassPool pool) throws NotFoundException, CannotCompileException { Modified: tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java URL: http://svn.apache.org/viewvc/tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java?rev=991653r1=991652r2=991653view=diff == --- tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java (original) +++ tapestry/tapestry5/trunk/tapestry-ioc/src/main/java/org/apache/tapestry5/ioc/internal/util/URLChangeTracker.java Wed Sep 1 18:57:43 2010 @@ -38,23 +38,25 @@ public class URLChangeTracker private final boolean granularitySeconds; +private final boolean trackFolderChanges; + private final ClasspathURLConverter classpathURLConverter; -private static final ClasspathURLConverter DEFAULT_CONVERTER = new ClasspathURLConverterImpl(); +public static final ClasspathURLConverter DEFAULT_CONVERTER = new ClasspathURLConverterImpl(); /** * Creates a tracker using the default (does nothing) URL converter, with default (millisecond) - * granularity. + * granularity and folder tracking disabled. * * @since 5.2.1 */ public URLChangeTracker() { -this(DEFAULT_CONVERTER); +this(DEFAULT_CONVERTER, false, false); } /** - * Creates a new URL change tracker with millisecond-level granularity. + * Creates a new URL change tracker with millisecond-level granularity and folder checking enabled. * * @param classpathURLConverter *used to convert URLs from one protocol to another @@ -66,7 +68,8 @@ public class URLChangeTracker } /** - * Creates a new URL change tracker, using either millisecond-level granularity or second-level granularity. + * Creates a new URL change tracker, using either millisecond-level granularity or second-level granularity and + * folder checking enabled. * * @param classpathURLConverter *
[jira] Created: (TAP5-1263) private methods in class heirarchy override each other with @SetupRender annotation
private methods in class heirarchy override each other with @SetupRender annotation --- Key: TAP5-1263 URL: https://issues.apache.org/jira/browse/TAP5-1263 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.1.0.5 Reporter: Paul Stanton I've found a strange issue with the @SetupRender annotation when used in a class hierarchy. Typically, in java 2 classes within a hierarchy can have the same signature for a private method and not effect each other, so I would expect this to be the case when both of these private methods are annotated with @SetupRender. Therefore the output for case 1 and case 2 (below) should be the same and print both messages setupRender2, setupRender1. However case 1 only prints setupRender2 meaning it somehow overwrites the method in it's implementing class. This is concerning because 1. there should never be a requirement that a sub-class knows of it's super-classes implementation 2. if hierarchy does come into play, the subclass should override the super class. CASE 1: -- public abstract class StartBase { @SetupRender private void init() { log.debug(setupRender2); } } public class Start extends StartBase { @SetupRender private void init() { log.debug(setupRender1); } } CASE 2: -- public abstract class StartBase { @SetupRender private void init2() { log.debug(setupRender2); } } public class Start extends StartBase { @SetupRender private void init1() { log.debug(setupRender1); } } -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.