Thank you Thiago! Really appreciate it.
On Tue, Jul 28, 2020 at 9:00 PM Thiago H. de Paula Figueiredo <
thiag...@gmail.com> wrote:
> Hello, everyone!
>
> I've just uploaded 5.6.0-SNAPSHOT to the Apache Maven staging repository to
> make it easier for everyone to give it a spin without having to build from
> source. Unless something really bad comes up, I should follow with putting
> 5.6.0 to a vote without any changes from this snapshot. My plan, which
> everyone has a right to disagree, is to have major stuff deferred to 5.7.0.
>
> Feedback of all kinds welcome, as usual.
>
> On Mon, Jul 27, 2020 at 1:58 AM David Taylor <
> david.tay...@extensiatech.com>
> wrote:
>
> > Thanks. I will grab your changes and apply those to the patch we are
> > using for the current release.
> >
> > David
> >
> >
> > On 7/26/2020 3:12 PM, Thiago H. de Paula Figueiredo wrote:
> > > Thanks! I ended up fixing this is a slightly different manner and
> > committed
> > > the fix.
> > >
> > > On Fri, Jul 24, 2020 at 1:11 AM David Taylor <
> > david.tay...@extensiatech.com>
> > > wrote:
> > >
> > >> FYI - The following modifications to ChecksumPath prevent the
> > >> StringIndexOutOfBoundsException and allow the server to respond with a
> > >> 404 error.
> > >>
> > >> public ChecksumPath(ResourceStreamer streamer, String
> baseFolder,
> > >> String extraPath)
> > >> {
> > >> this.streamer = streamer;
> > >> int slashx = extraPath.indexOf('/');
> > >>
> > >> checksum = slashx != -1 ? extraPath.substring(0, slashx) :
> > >> extraPath;
> > >>
> > >> String morePath = slashx != -1 ? extraPath.substring(slashx
> +
> > >> 1) : "";
> > >>
> > >> resourcePath = baseFolder == null
> > >> ? morePath
> > >> : baseFolder + "/" + morePath;
> > >> }
> > >>
> > >>
> > >>
> > >> emailsig
> > >> On 7/23/2020 11:39 PM, David Taylor wrote:
> > >>> Hello Everyone,
> > >>>
> > >>> We are very interested in seeing the 5.6.0 update out the door and
> > >>> decided to test out the patch for TAP5-2632. In the course of doing
> so
> > >>> we found another related issue.
> > >>>
> > >>> When the path /assets/META-INF is entered in the browser it causes a
> > >>> StringIndexOutOfBoundsException in the constructor of the
> ChecksumPath
> > >>> class since the code does not guard against the possibility that
> > >>> indexOf will not find a match. Below is the offending code and the
> > >>> exception.
> > >>>
> > >>> It seems that this needs to get patched to harden the application
> > >>> against bad input which is apparently very easy to devise. That was
> > >>> actually the first test string entered when testing the patch.
> Clearly
> > >>> Tapestry should not be responding to bad input with an exception.
> > >>>
> > >>> int slashx = extraPath.indexOf('/');
> > >>>
> > >>> java.lang.StringIndexOutOfBoundsException
> > >>> begin 0, end -1, length 8
> > >>>
> > >>> Best Regards,
> > >>> David Taylor
> > >>>
> > >>> On 7/19/2020 11:33 AM, Thiago H. de Paula Figueiredo wrote:
> > >>>> Hello, everyone!
> > >>>>
> > >>>> I'd like to release Tapestry 5.6.0 as soon as possible. There's a
> > >>>> security
> > >>>> improvement and support for Java 14 bytecode. Anything else you
> > >>>> believe is
> > >>>> a blocker this release?
> > >>>>
> > >>>> Here are the tickets included in the 5.6.0 release:
> > >>>>
> > >>>> [image: Critical] [image: Bug] TAP5-2602
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2602> 5.4 LinkSubmit
> does
> > >>>> not
> > >>>> work with Prototype JS
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2602> Thiago
> > >>>> Henrique De Paula Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> CLOSED
> > >>>> [image: Major] [image: Improvement] TAP5-2624
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Support Java 14
> > >>>> bytecode
> > >>>> by upgrading embedded ASM version to 8.0.1
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2624> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> RESOLVED
> > >>>> [image: Major] [image: Improvement] TAP5-2631
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Make Tapestry
> forms
> > >>>> more
> > >>>> accessible with automatic generation WAI-ARIA attributes
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2631> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> CLOSED
> > >>>> [image: Major] [image: Bug] TAP5-2632
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2632>
> > >>>> ContextAssetRequestHandler
> > >>>> doesn't handle slashes in paths correctly
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2632> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> RESOLVED
> > >>>> [image: Minor] [image: Improvement] TAP5-2626
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Update Closure
> > >>>> Compiler
> > >>>> to latest version available (v20200628)
> > >>>> <https://issues.apache.org/jira/browse/TAP5-2626> Thiago Henrique
> De
> > >>>> Paula
> > >>>> Figueiredo
> > >>>> <
> https://issues.apache.org/jira/secure/ViewProfile.jspa?name=thiagohp
> > >
> > >>>> CLOSED
> > >>>>
> > >>>
> > >>>
> > >>> ---------------------------------------------------------------------
> > >>> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> > >>> For additional commands, e-mail: dev-h...@tapestry.apache.org
> > >>>
> > >>
> > >>
> > >> ---------------------------------------------------------------------
> > >> To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> > >> For additional commands, e-mail: dev-h...@tapestry.apache.org
> > >>
> > >>
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscr...@tapestry.apache.org
> > For additional commands, e-mail: dev-h...@tapestry.apache.org
> >
> >
>
> --
> Thiago
>
--
Massimo Lusetti
