AssetEncoder doesn't handle invalid paths missing a digest
----------------------------------------------------------
Key: TAPESTRY-1915
URL: https://issues.apache.org/jira/browse/TAPESTRY-1915
Project: Tapestry
Issue Type: Improvement
Components: Framework
Affects Versions: 4.1.3, 4.1.2, 4.1.1, 4.1.4, 4.2
Reporter: Greg Woolsey
Priority: Minor
AssetEncoder.decode() has this line:
int slashx = pathInfo.indexOf('/', 1);
but never checks for slashx == -1 before using it in:
encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1,
slashx));
which, if the URL didn't have another slash after "assets/", causes a
StringIndexOutOfBoundsException at runtime. Some automated security testing
tools flag the resulting stack trace in the response as a potential risk, and
it just looks bad, even though the URL was not one generated by AssetEncoder,
but one obviously manipulated manually somehow.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
