tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Andreou (JIRA)" <...@tapestry.apache.org>
Subject [jira] Resolved: (TAPESTRY-1915) AssetEncoder doesn't handle invalid paths missing a digest
Date Sat, 29 Mar 2008 00:10:24 GMT

     [ https://issues.apache.org/jira/browse/TAPESTRY-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Andreas Andreou resolved TAPESTRY-1915.
---------------------------------------

    Resolution: Fixed

> AssetEncoder doesn't handle invalid paths missing a digest
> ----------------------------------------------------------
>
>                 Key: TAPESTRY-1915
>                 URL: https://issues.apache.org/jira/browse/TAPESTRY-1915
>             Project: Tapestry
>          Issue Type: Improvement
>          Components: Framework
>    Affects Versions: 4.1.1, 4.1.2, 4.1.3, 4.1.5
>            Reporter: Greg Woolsey
>            Assignee: Andreas Andreou
>            Priority: Minor
>             Fix For: 4.1.6
>
>
> AssetEncoder.decode()  has this line:
>         int slashx = pathInfo.indexOf('/', 1);
> but never checks for slashx == -1 before using it in:
>         encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1, slashx));
> which, if the URL didn't have another slash after "assets/", causes a StringIndexOutOfBoundsException
at runtime.  Some automated security testing tools flag the resulting stack trace in the response
as a potential risk, and it just looks bad, even though the URL was not one generated by AssetEncoder,
but one obviously manipulated manually somehow.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org


Mime
View raw message