[
https://issues.apache.org/jira/browse/TAPESTRY-1915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12577401#action_12577401
]
Andreas Andreou commented on TAPESTRY-1915:
-------------------------------------------
Yep - i see StringIndexOutOfBoundsException for urls such as
/assets/anything_with_no_slash
and NPE for url /assets/
I'm just wondering how to handle those cases, because if we just return,
the home service will eventually handle them!
Perhaps set the digest and the path to empty string and go on with the asset
service is the way to go
> AssetEncoder doesn't handle invalid paths missing a digest
> ----------------------------------------------------------
>
> Key: TAPESTRY-1915
> URL: https://issues.apache.org/jira/browse/TAPESTRY-1915
> Project: Tapestry
> Issue Type: Improvement
> Components: Framework
> Affects Versions: 4.1.1, 4.1.2, 4.1.3, 4.1.5
> Reporter: Greg Woolsey
> Assignee: Andreas Andreou
> Priority: Minor
> Fix For: 4.1.6
>
>
> AssetEncoder.decode() has this line:
> int slashx = pathInfo.indexOf('/', 1);
> but never checks for slashx == -1 before using it in:
> encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1,
> slashx));
> which, if the URL didn't have another slash after "assets/", causes a
> StringIndexOutOfBoundsException at runtime. Some automated security testing
> tools flag the resulting stack trace in the response as a potential risk, and
> it just looks bad, even though the URL was not one generated by AssetEncoder,
> but one obviously manipulated manually somehow.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
