tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Taylor <david.tay...@extensiatech.com>
Subject Re: Ready for 5.6.0? Any blockers?
Date Mon, 27 Jul 2020 04:57:43 GMT
Thanks. I will grab your changes and apply those to the patch we are 
using for the current release.

David


On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:
> Thanks! I ended up fixing this is a slightly different manner and committed
> the fix.
>
> On Fri, Jul 24, 2020 at 1:11 AM David Taylor <david.taylor@extensiatech.com>
> wrote:
>
>> FYI - The following modifications to ChecksumPath prevent the
>> StringIndexOutOfBoundsException and allow the server to respond with a
>> 404 error.
>>
>>       public ChecksumPath(ResourceStreamer streamer, String baseFolder,
>> String extraPath)
>>       {
>>           this.streamer = streamer;
>>           int slashx = extraPath.indexOf('/');
>>
>>           checksum = slashx != -1 ? extraPath.substring(0, slashx) :
>> extraPath;
>>
>>           String morePath = slashx != -1 ? extraPath.substring(slashx +
>> 1) : "";
>>
>>           resourcePath = baseFolder == null
>>             ? morePath
>>             : baseFolder + "/" + morePath;
>>       }
>>
>>
>>
>> emailsig
>> On 7/23/2020 11:39 PM, David Taylor wrote:
>>> Hello Everyone,
>>>
>>> We are very interested in seeing the 5.6.0 update out the door and
>>> decided to test out the patch for TAP5-2632. In the course of doing so
>>> we found another related issue.
>>>
>>> When the path /assets/META-INF is entered in the browser it causes a
>>> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
>>> class since the code does not guard against the possibility that
>>> indexOf will not find a match. Below is the offending code and the
>>> exception.
>>>
>>>   It seems that this needs to get patched to harden the application
>>> against bad input which is apparently very easy to devise. That was
>>> actually the first test string entered when testing the patch. Clearly
>>> Tapestry should not be responding to bad input with an exception.
>>>
>>> int slashx = extraPath.indexOf('/');
>>>
>>> java.lang.StringIndexOutOfBoundsException
>>> begin 0, end -1, length 8
>>>
>>> Best Regards,
>>> David Taylor
>>>
>>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
>>>> Hello, everyone!
>>>>
>>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
>>>> security
>>>> improvement and support for Java 14 bytecode. Anything else you
>>>> believe is
>>>> a blocker this release?
>>>>
>>>> Here are the tickets included in the 5.6.0 release:
>>>>
>>>> [image: Critical] [image: Bug] TAP5-2602
>>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit does
>>>> not
>>>> work with Prototype JS
>>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
>>>> Henrique De Paula Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> CLOSED
>>>> [image: Major] [image: Improvement] TAP5-2624
>>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
>>>> bytecode
>>>> by upgrading embedded ASM version to 8.0.1
>>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> RESOLVED
>>>> [image: Major] [image: Improvement] TAP5-2631
>>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry forms
>>>> more
>>>> accessible with automatic generation WAI-ARIA attributes
>>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> CLOSED
>>>> [image: Major] [image: Bug] TAP5-2632
>>>> <https://issues.apache.org/jira/browse/TAP5-2632>
>>>> ContextAssetRequestHandler
>>>> doesn't handle slashes in paths correctly
>>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> RESOLVED
>>>> [image: Minor] [image: Improvement] TAP5-2626
>>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
>>>> Compiler
>>>> to latest version available (v20200628)
>>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique De
>>>> Paula
>>>> Figueiredo
>>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp>
>>>> CLOSED
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>
>>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org


Mime
View raw message