[
https://issues.apache.org/jira/browse/TAPESTRY-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andreas Andreou updated TAPESTRY-1915:
--------------------------------------
Fix Version/s: 4.1.6
Assignee: Andreas Andreou
Affects Version/s: (was: 4.2)
> AssetEncoder doesn't handle invalid paths missing a digest
> ----------------------------------------------------------
>
> Key: TAPESTRY-1915
> URL: https://issues.apache.org/jira/browse/TAPESTRY-1915
> Project: Tapestry
> Issue Type: Improvement
> Components: Framework
> Affects Versions: 4.1.1, 4.1.2, 4.1.3, 4.1.5
> Reporter: Greg Woolsey
> Assignee: Andreas Andreou
> Priority: Minor
> Fix For: 4.1.6
>
>
> AssetEncoder.decode() has this line:
> int slashx = pathInfo.indexOf('/', 1);
> but never checks for slashx == -1 before using it in:
> encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1,
> slashx));
> which, if the URL didn't have another slash after "assets/", causes a
> StringIndexOutOfBoundsException at runtime. Some automated security testing
> tools flag the resulting stack trace in the response as a potential risk, and
> it just looks bad, even though the URL was not one generated by AssetEncoder,
> but one obviously manipulated manually somehow.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
