tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thiago H. de Paula Figueiredo" <thiag...@gmail.com>
Subject Re: Ready for 5.6.0? Any blockers?
Date Tue, 28 Jul 2020 18:59:38 GMT
Hello, everyone!

I've just uploaded 5.6.0-SNAPSHOT to the Apache Maven staging repository to
make it easier for everyone to give it a spin without having to build from
source. Unless something really bad comes up, I should follow with putting
5.6.0 to a vote without any changes from this snapshot. My plan, which
everyone has a right to disagree, is to have major stuff deferred to 5.7.0.

Feedback of all kinds welcome, as usual.

On Mon, Jul 27, 2020 at 1:58 AM David Taylor <david.taylor@extensiatech.com>
wrote:

> Thanks. I will grab your changes and apply those to the patch we are
> using for the current release.
>
> David
>
>
> On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:
> > Thanks! I ended up fixing this is a slightly different manner and
> committed
> > the fix.
> >
> > On Fri, Jul 24, 2020 at 1:11 AM David Taylor <
> david.taylor@extensiatech.com>
> > wrote:
> >
> >> FYI - The following modifications to ChecksumPath prevent the
> >> StringIndexOutOfBoundsException and allow the server to respond with a
> >> 404 error.
> >>
> >>       public ChecksumPath(ResourceStreamer streamer, String baseFolder,
> >> String extraPath)
> >>       {
> >>           this.streamer = streamer;
> >>           int slashx = extraPath.indexOf('/');
> >>
> >>           checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> >> extraPath;
> >>
> >>           String morePath = slashx != -1 ? extraPath.substring(slashx +
> >> 1) : "";
> >>
> >>           resourcePath = baseFolder == null
> >>             ? morePath
> >>             : baseFolder + "/" + morePath;
> >>       }
> >>
> >>
> >>
> >> emailsig
> >> On 7/23/2020 11:39 PM, David Taylor wrote:
> >>> Hello Everyone,
> >>>
> >>> We are very interested in seeing the 5.6.0 update out the door and
> >>> decided to test out the patch for TAP5-2632. In the course of doing so
> >>> we found another related issue.
> >>>
> >>> When the path /assets/META-INF is entered in the browser it causes a
> >>> StringIndexOutOfBoundsException in the constructor of the ChecksumPath
> >>> class since the code does not guard against the possibility that
> >>> indexOf will not find a match. Below is the offending code and the
> >>> exception.
> >>>
> >>>   It seems that this needs to get patched to harden the application
> >>> against bad input which is apparently very easy to devise. That was
> >>> actually the first test string entered when testing the patch. Clearly
> >>> Tapestry should not be responding to bad input with an exception.
> >>>
> >>> int slashx = extraPath.indexOf('/');
> >>>
> >>> java.lang.StringIndexOutOfBoundsException
> >>> begin 0, end -1, length 8
> >>>
> >>> Best Regards,
> >>> David Taylor
> >>>
> >>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> >>>> Hello, everyone!
> >>>>
> >>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> >>>> security
> >>>> improvement and support for Java 14 bytecode. Anything else you
> >>>> believe is
> >>>> a blocker this release?
> >>>>
> >>>> Here are the tickets included in the 5.6.0 release:
> >>>>
> >>>> [image: Critical] [image: Bug] TAP5-2602
> >>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit
does
> >>>> not
> >>>> work with Prototype JS
> >>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> >>>> Henrique De Paula Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>> [image: Major] [image: Improvement] TAP5-2624
> >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java
14
> >>>> bytecode
> >>>> by upgrading embedded ASM version to 8.0.1
> >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique
De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> RESOLVED
> >>>> [image: Major] [image: Improvement] TAP5-2631
> >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry
forms
> >>>> more
> >>>> accessible with automatic generation WAI-ARIA attributes
> >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique
De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>> [image: Major] [image: Bug] TAP5-2632
> >>>> <https://issues.apache.org/jira/browse/TAP5-2632>
> >>>> ContextAssetRequestHandler
> >>>> doesn't handle slashes in paths correctly
> >>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique
De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> RESOLVED
> >>>> [image: Minor] [image: Improvement] TAP5-2626
> >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> >>>> Compiler
> >>>> to latest version available (v20200628)
> >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique
De
> >>>> Paula
> >>>> Figueiredo
> >>>> <https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> >
> >>>> CLOSED
> >>>>
> >>>
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> >>> For additional commands, e-mail: dev-help@tapestry.apache.org
> >>>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> >> For additional commands, e-mail: dev-help@tapestry.apache.org
> >>
> >>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>

-- 
Thiago

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message