Hello everybody
We've successfully developed and deployed a payment manager
application written in Tapestry 5.1
The system with application is PCI certified. This requires a periodic
vulnerability scan by a PCI scanning vendor.
Basically the scanning vendor use Nessus to throw all kinds of
requests at the app to potentially idenitfy known vulnerabilities on a
system.
The problem or annoyance we have is that the tapestry app has to deal
with all kinds of arbitrary requests resulting in server errors
(500s). We would much rather return 404s.
We have 2 kinds of request that bother us:
1) requests like "/login.asp?blahbalh" or "/login.htm" etc.
Tapestry does not like it:
org.apache.tapestry5.ioc.internal.util.TapestryException: Component
Login does not contain an embedded component with id 'htm'.
We have a page Login.class with a form on so requests like '/login'
and '/login.form' is handled as expected but not the likes of
"/login.cgi"
2) requests like
"/cgi/wsisa.dll/WService=wsbroker1/webtools/oscommand.w" or
"/cgi/go.cgi|id|" (that is probably against the HTTP spec?)
Tapestry does not like it:
java.lang.IllegalArgumentException: Input string 'WService=wsbroker1'
is not valid; the character '=' at position 9 is not valid.
at
org.apache.tapestry5.internal.services.URLEncoderImpl.decode(URLEncoderImpl.java:143)
I guess that one could catch these exceptions on the ExceptionReport
page and then do some custom 404 thing, but it would be much nicer to
prevent these exceptions form happening in the first place.
Any ideas?
Thanks
Mike
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
For additional commands, e-mail: users-h...@tapestry.apache.org
