[jira] [Commented] (TAP5-2294) App startup announcement broken on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13917380#comment-13917380 ] Bob Harner commented on TAP5-2294: -- Jochen, in what way is the startup announcement broken? The announcement prints out fine for me on Windows 7, both from within Eclipse console (using m2e) and in the command console (mvn) when launching my test app with jetty:run goal). App startup announcement broken on Windows -- Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Priority: Minor {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Updated] (TAP5-2294) App startup announcement broken on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bob Harner updated TAP5-2294: - Attachment: TAP5-2294 screen shot 1.png Screenshot showing announcement printing out okay App startup announcement broken on Windows -- Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Priority: Minor Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Comment Edited] (TAP5-2294) App startup announcement broken on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13917382#comment-13917382 ] Bob Harner edited comment on TAP5-2294 at 3/2/14 12:26 PM: --- Screenshot attached showing announcement printing out okay. The white is Eclipse, the black in the command window. was (Author: bobharner): Screenshot showing announcement printing out okay App startup announcement broken on Windows -- Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Priority: Minor Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Commented] (TAP5-2294) App startup announcement broken on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13917386#comment-13917386 ] Jochen Kemnade commented on TAP5-2294: -- You're right, I should have provided more information. I use {{slf4j-log4j12}} with a file appender logger. On Windows (7 FWIW), the new lines are not printed into the log file. The whole startup announcement is written into a single line. App startup announcement broken on Windows -- Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Priority: Minor Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.1.5#6160)
[jira] [Assigned] (TAP5-2294) App startup announcement broken on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bob Harner reassigned TAP5-2294: Assignee: Bob Harner App startup announcement broken on Windows -- Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Assignee: Bob Harner Priority: Minor Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.2#6252)
git commit: Fixed TAP5-2294 (Wrong line endings in app startup messages on Windows)
Repository: tapestry-5 Updated Branches: refs/heads/master b385e77f8 - c4c5c354f Fixed TAP5-2294 (Wrong line endings in app startup messages on Windows) Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/c4c5c354 Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/c4c5c354 Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/c4c5c354 Branch: refs/heads/master Commit: c4c5c354f254ba70f76ca21ca98b891c8038b5d3 Parents: b385e77 Author: Bob Harner bobhar...@apache.org Authored: Sun Mar 2 11:48:08 2014 -0500 Committer: Bob Harner bobhar...@apache.org Committed: Sun Mar 2 11:48:08 2014 -0500 -- .../tapestry5/internal/TapestryAppInitializer.java | 15 --- .../services/ComponentClassResolverImpl.java | 15 --- 2 files changed, 24 insertions(+), 6 deletions(-) -- http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/c4c5c354/tapestry-core/src/main/java/org/apache/tapestry5/internal/TapestryAppInitializer.java -- diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/TapestryAppInitializer.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/TapestryAppInitializer.java index 74a63af..cfd02de 100644 --- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/TapestryAppInitializer.java +++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/TapestryAppInitializer.java @@ -1,4 +1,4 @@ -// Copyright 2006-2013 The Apache Software Foundation +// Copyright 2006-2014 The Apache Software Foundation // // Licensed under the Apache License, Version 2.0 (the License); // you may not use this file except in compliance with the License. @@ -201,8 +201,16 @@ public class TapestryAppInitializer return registry; } +/** + * Announce application startup, by logging (at INFO level) the names of all pages, + * components, mixins and services. + */ public void announceStartup() { +if (!logger.isInfoEnabled()) // if info logging is off we can stop now +{ +return; +} long toFinish = System.currentTimeMillis(); SymbolSource source = registry.getService(SymbolSource, SymbolSource.class); @@ -258,9 +266,10 @@ public class TapestryAppInitializer buffer.append(/_ __/__ ___ ___ / /___ __ / __/\n); buffer.append( / / / _ `/ _ \\/ -_|_-/ __/ __/ // / /__ \\ \n); buffer.append(/_/ \\_,_/ .__/\\__/___/\\__/_/ \\_, / //\n); -f.format(/_/ /___/ %s%s\n\n, +f.format (/_/ /___/ %s%s\n\n, version, productionMode ? : (development mode)); -logger.info(buffer.toString()); +// log multi-line string with OS-specific line endings (TAP5-2294) +logger.info(buffer.toString().replaceAll(\\n, System.getProperty(line.separator))); } } http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/c4c5c354/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ComponentClassResolverImpl.java -- diff --git a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ComponentClassResolverImpl.java b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ComponentClassResolverImpl.java index e8ff689..cad9404 100644 --- a/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ComponentClassResolverImpl.java +++ b/tapestry-core/src/main/java/org/apache/tapestry5/internal/services/ComponentClassResolverImpl.java @@ -1,4 +1,4 @@ -// Copyright 2006-2012 The Apache Software Foundation +// Copyright 2006-2014 The Apache Software Foundation // // Licensed under the Apache License, Version 2.0 (the License); // you may not use this file except in compliance with the License. @@ -336,10 +336,18 @@ public class ComponentClassResolverImpl implements ComponentClassResolver, Inval return CollectionFactory.newSet(map.values()).size(); } +/** + * Log (at INFO level) the changes between the two logical-name-to-class-name maps + * @param title the title of the things in the maps (e.g. pages or components) + * @param savedMap the old map + * @param newMap the new map + */ private void showChanges(String title, MapString, String savedMap, MapString, String newMap) { -if (savedMap.equals(newMap)) +if (savedMap.equals(newMap) || !logger.isInfoEnabled()) // nothing to log? +{ return; +} MapString, String core = CollectionFactory.newMap(); MapString, String nonCore = CollectionFactory.newMap(); @@ -403,7 +411,8 @@
[jira] [Updated] (TAP5-2294) Wrong line endings in app startup messages on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bob Harner updated TAP5-2294: - Summary: Wrong line endings in app startup messages on Windows (was: App startup announcement broken on Windows) Wrong line endings in app startup messages on Windows - Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Assignee: Bob Harner Priority: Minor Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TAP5-2294) Wrong line endings in app startup messages on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13917481#comment-13917481 ] ASF subversion and git services commented on TAP5-2294: --- Commit c4c5c354f254ba70f76ca21ca98b891c8038b5d3 in tapestry-5's branch refs/heads/master from [~bobharner] [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=c4c5c35 ] Fixed TAP5-2294 (Wrong line endings in app startup messages on Windows) Wrong line endings in app startup messages on Windows - Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Assignee: Bob Harner Priority: Minor Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Resolved] (TAP5-2294) Wrong line endings in app startup messages on Windows
[ https://issues.apache.org/jira/browse/TAP5-2294?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bob Harner resolved TAP5-2294. -- Resolution: Fixed Fix Version/s: 5.4 Fixed in commit c4c5c354 I don't have a unix or mac computer handy. It would be nice if somebody would verify that announcement messages aren't broken on unix/mac now. Wrong line endings in app startup messages on Windows - Key: TAP5-2294 URL: https://issues.apache.org/jira/browse/TAP5-2294 Project: Tapestry 5 Issue Type: Bug Components: tapestry-core Affects Versions: 5.4 Reporter: Jochen Kemnade Assignee: Bob Harner Priority: Minor Fix For: 5.4 Attachments: TAP5-2294 screen shot 1.png {{org.apache.tapestry5.internal.TapestryAppInitializer.announceStartup()}} uses {{\n}} to begin new lines. It should use {{System.getProperty(line.separator)}} instead. -- This message was sent by Atlassian JIRA (v6.2#6252)
[CONF] Apache Tapestry Building Tapestry from Source
Bob Harner edited the page: Building Tapestry from Source Comment: Added some details on skipping tests ... Command-line users: *( gradlew is the gradle wrapper shell script (gradlew) or batch file (gradlew.bat) found in the root folder of the Tapestry source. ./gradlew build Eclipse Gradle IDE users: Right click on the top-level project (or any sub-project) and select Run As Gradle Build..., which starts an External Tools Configuration dialog box. Enter a reasonable name, select the tasks you want to run (for example, tapestry-core/install), and click Run. Running Individual Tests Eclipse users: Install the TestNG plugin to allow running of individual TestNG unit tests from within in Eclipse. ... Running the Tapestry integration tests can take 10 minutes or more (mostly because of Selenium tests, which repeatedly start and stop the Firefox browser), so you won't want to run them every time you try a change. Command-line users: To build while skipping all tests: ./gradlew build -x test You can skip tests on a specific module by adding a colon and the module name. For example: -x test:tapestry-ioc Eclipse Gradle IDE users: In your External Tools Configuration, add the same -x test option as above at Arguments Program Arguments. Running the Integration Test Apps Manually ... View Online Like View Changes Stop watching space Manage Notifications This message was sent by Atlassian Confluence 5.0.3, Team Collaboration Software
[CONF] Apache Tapestry Page And Component Classes FAQ
{footnote}Tapestry would also create an alias . (Tapestry would also create an alias account/view, by stripping off the redundant account suffix. Either name is equally valid in your code, and Tapestry will use the shorter name, account/view in URLs.{footnote})In addition, it is possible to define additional root packages for the application: Bob Harner edited the page: Page And Component Classes FAQ Comment: Fixed footnote problem by doing away with it. ... You are allowed to create sub-packages, to help organize your code better and more logically. For example, you might have root-package.pages.account.ViewAccount, which would have the page name account/viewaccount Wiki Markup Code Block controls true linenumbers true public static void contributeComponentClassResolver(ConfigurationLibraryMapping configuration) { configuration.add(new LibraryMapping(, com.example.app.tasks)); configuration.add(new LibraryMapping(, com.example.app.chat)); } ... Code Block controls true linenumbers true @SupportsInformalParameters public class DBImage { @Parameter(required=true) private Image image; @Inject private ComponentResources resources; boolean beginRender(MarkupWriter writer) {
[CONF] Apache Tapestry Limitations
Bob Harner edited the page: Limitations Comment: Added note about running Tap 4 5 apps together ... Although you code Tapestry pages and components as if they were ordinary POJOs (Plain Old Java Objects -- Tapestry does not require you to extend any base classes or implement any special interfaces), as deployed by Tapestry they are closer to a traditional servlet: a single instance of each page services requests from multiple threads. Behind the scenes, Tapestry transforms you code, rewriting it on the fly. What this means is that any incoming request must be handled by a single page instance. Therefore, Tapestry enforces the concept of static structure, dynamic behavior. ... How do I run multiple Tapestry applications in the same web application? This Running multiple Tapestry 5 applications is not supported; there's only one place to identify the application root package, so even configuring multiple filters into multiple folders will not work. Support for multiple Tapestry applications in the same web application was a specific non-goal in Tapestry 5 (it needlessly complicated Tapestry 4). Given how loosely connected Tapestry 5 pages are from each other, there doesn't seem to be an advantage to doing so ... and certainly, in terms of memory utilization, there is a significant down side, were it even possible. Youcanrun a Tapestry 4 app and a Tapestry 5 app side-by-side (the package names are different, for just this reason), but they know nothing of each other, and can't interact directly. This is just like the way you could have a single WAR with multiple servlets; the different applications can only communicate via URLs, or shared state in the HttpSession. Wiki Markup {scrollbar} View Online Like View Changes Stop watching space Manage Notifications This message was sent by Atlassian Confluence 5.0.3, Team Collaboration Software
svn commit: r899778 [2/2] - in /websites/production/tapestry/content: building-tapestry-from-source.html cache/main.pageCache injection-faq.html limitations.html page-and-component-classes-faq.html
Modified: websites/production/tapestry/content/page-and-component-classes-faq.html == --- websites/production/tapestry/content/page-and-component-classes-faq.html (original) +++ websites/production/tapestry/content/page-and-component-classes-faq.html Sun Mar 2 22:20:37 2014 @@ -77,142 +77,26 @@ table.ScrollbarTable td.ScrollbarParent table.ScrollbarTable td.ScrollbarNextName {text-align: right;border: none;} table.ScrollbarTable td.ScrollbarNextIcon {text-align: center;width: 16px;border: none;} -/*]]*//stylediv class=Scrollbartable class=ScrollbarTabletrtd colspan=1 rowspan=1 class=ScrollbarPrevIcona shape=rect href=templating-and-markup-faq.htmlimg align=middle border=0 src=https://cwiki.apache.org/confluence/images/icons/back_16.gif; width=16 height=16/a/tdtd colspan=1 rowspan=1 class=ScrollbarPrevName width=33%a shape=rect href=templating-and-markup-faq.htmlTemplating and Markup FAQ/a#160;/tdtd colspan=1 rowspan=1 class=ScrollbarParent width=33%supa shape=rect href=frequently-asked-questions.htmlimg align=middle border=0 src=https://cwiki.apache.org/confluence/images/icons/up_16.gif; width=8 height=8/a/supa shape=rect href=frequently-asked-questions.htmlFrequently Asked Questions/a/tdtd colspan=1 rowspan=1 class=ScrollbarNextName width=33%#160;a shape=rect href=forms-and-form-components-faq.htmlForms and Form Components FAQ/a/tdtd colspan=1 ro wspan=1 class=ScrollbarNextIcona shape=rect href=forms-and-form-components-faq.htmlimg align=middle border=0 src=https://cwiki.apache.org/confluence/images/icons/forwd_16.gif; width=16 height=16/a/td/tr/table/div - -h2 id=PageAndComponentClassesFAQ-PageAndComponentClassesPage And Component Classes/h2 - -pMain article: a shape=rect href=component-classes.htmlComponent Classes/a/p - -h3 id=PageAndComponentClassesFAQ-What'sthedifferencebetweenapageandacomponent?What's the difference between a page and a component?/h3 - -pThere's very little difference between the two. Pages classes must be in the emroot-package/em.codepages/code package; components must be in the emroot-package/em.codecomponents/code. Pages may provide event handlers for certain page-specific events (such as activate and passivate). Components may have parameters./p - -pOther than that, they are more equal than they are different. They may have templates or may render themselves in code (pages usually have a template, components are more likely to render only in code)./p - -pThe major difference is that Tapestry page templates may be stored in the web context directory, as if they were static files (they can't be accessed from the client however; a specific rule prevents access to files with the code.tml/code extension)./p - -div class=aui-message problem shadowed information-macro +/*]]*//stylediv class=Scrollbartable class=ScrollbarTabletrtd colspan=1 rowspan=1 class=ScrollbarPrevIcona shape=rect href=templating-and-markup-faq.htmlimg align=middle border=0 src=https://cwiki.apache.org/confluence/images/icons/back_16.gif; width=16 height=16/a/tdtd colspan=1 rowspan=1 class=ScrollbarPrevName width=33%a shape=rect href=templating-and-markup-faq.htmlTemplating and Markup FAQ/a#160;/tdtd colspan=1 rowspan=1 class=ScrollbarParent width=33%supa shape=rect href=frequently-asked-questions.htmlimg align=middle border=0 src=https://cwiki.apache.org/confluence/images/icons/up_16.gif; width=8 height=8/a/supa shape=rect href=frequently-asked-questions.htmlFrequently Asked Questions/a/tdtd colspan=1 rowspan=1 class=ScrollbarNextName width=33%#160;a shape=rect href=forms-and-form-components-faq.htmlForms and Form Components FAQ/a/tdtd colspan=1 ro wspan=1 class=ScrollbarNextIcona shape=rect href=forms-and-form-components-faq.htmlimg align=middle border=0 src=https://cwiki.apache.org/confluence/images/icons/forwd_16.gif; width=16 height=16/a/td/tr/table/divh2 id=PageAndComponentClassesFAQ-PageAndComponentClassesPage And Component Classes/h2pMain article: a shape=rect href=component-classes.htmlComponent Classes/a/ph3 id=PageAndComponentClassesFAQ-What'sthedifferencebetweenapageandacomponent?What's the difference between a page and a component?/h3pThere's very little difference between the two. Pages classes must be in the emroot-package/em.codepages/code package; components must be in the emroot-package/em.codecomponents/code. Pages may provide event handlers for certain page-specific events (such as activate and passivate). Components may have parameters./ppOther than that, they are more equal than they are different. They may have templates or may render themselves in code (pages usually have a template, components are more likely to render only in code)./ppThe major difference is that Tapestry page templates may be stored in the web context directory, as if they were static files (they can't be accessed from the client however; a specific rule prevents
[jira] [Assigned] (TAP5-2295) Exploit found in commons-file-upload 1.3.1
[ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Bob Harner reassigned TAP5-2295: Assignee: Bob Harner Exploit found in commons-file-upload 1.3.1 Key: TAP5-2295 URL: https://issues.apache.org/jira/browse/TAP5-2295 Project: Tapestry 5 Issue Type: Dependency upgrade Components: tapestry-upload Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0 Reporter: jose luis sanchez Assignee: Bob Harner Labels: bug, commons-file-upload, security, tapestry-upload Just found that commons-file-upload 1.3.1 has a bug that can create a DOS attack . For more information, see http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older. So recommended option is to update dependency to commons-file-upload-1.3.1.jar -- This message was sent by Atlassian JIRA (v6.2#6252)
git commit: Fixed TAP5-2295 (denial of service vulnerability due to commons-file-upload) by upgrading commons-file-upload from 1.2.2 to 1.3.1, which also required upgrading commons-io from 2.0.1 to 2.
Repository: tapestry-5 Updated Branches: refs/heads/master c4c5c354f - 9dfe22e08 Fixed TAP5-2295 (denial of service vulnerability due to commons-file-upload) by upgrading commons-file-upload from 1.2.2 to 1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2. Project: http://git-wip-us.apache.org/repos/asf/tapestry-5/repo Commit: http://git-wip-us.apache.org/repos/asf/tapestry-5/commit/9dfe22e0 Tree: http://git-wip-us.apache.org/repos/asf/tapestry-5/tree/9dfe22e0 Diff: http://git-wip-us.apache.org/repos/asf/tapestry-5/diff/9dfe22e0 Branch: refs/heads/master Commit: 9dfe22e08556da76d7a35a79d599f4b9a527c4e1 Parents: c4c5c35 Author: Bob Harner bobhar...@apache.org Authored: Sun Mar 2 23:11:18 2014 -0500 Committer: Bob Harner bobhar...@apache.org Committed: Sun Mar 2 23:11:18 2014 -0500 -- tapestry-upload/build.gradle| 4 ++-- .../upload/internal/services/StubFileItem.java | 12 2 files changed, 14 insertions(+), 2 deletions(-) -- http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/9dfe22e0/tapestry-upload/build.gradle -- diff --git a/tapestry-upload/build.gradle b/tapestry-upload/build.gradle index b149b46..238a92e 100644 --- a/tapestry-upload/build.gradle +++ b/tapestry-upload/build.gradle @@ -2,8 +2,8 @@ description = File Upload component, with supporting services dependencies { compile project(':tapestry-core') - compile commons-fileupload:commons-fileupload:1.2.2 - compile commons-io:commons-io:2.0.1 + compile commons-fileupload:commons-fileupload:1.3.1 + compile commons-io:commons-io:2.2 provided javax.servlet:servlet-api:${versions.servletapi} testCompile project(':tapestry-test') http://git-wip-us.apache.org/repos/asf/tapestry-5/blob/9dfe22e0/tapestry-upload/src/test/java/org/apache/tapestry5/upload/internal/services/StubFileItem.java -- diff --git a/tapestry-upload/src/test/java/org/apache/tapestry5/upload/internal/services/StubFileItem.java b/tapestry-upload/src/test/java/org/apache/tapestry5/upload/internal/services/StubFileItem.java index 6ad93a6..af14526 100755 --- a/tapestry-upload/src/test/java/org/apache/tapestry5/upload/internal/services/StubFileItem.java +++ b/tapestry-upload/src/test/java/org/apache/tapestry5/upload/internal/services/StubFileItem.java @@ -15,6 +15,7 @@ package org.apache.tapestry5.upload.internal.services; import org.apache.commons.fileupload.FileItem; +import org.apache.commons.fileupload.FileItemHeaders; import java.io.*; @@ -131,4 +132,15 @@ public class StubFileItem implements FileItem { return isDeleted; } + +/* unused method but required by FileItem interface */ +public FileItemHeaders getHeaders() +{ +return null; +} + +/* unused method but required by FileItem interface */ +public void setHeaders(FileItemHeaders headers) +{ +} }
[jira] [Commented] (TAP5-2295) Exploit found in commons-file-upload 1.3.1
[ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13917729#comment-13917729 ] ASF subversion and git services commented on TAP5-2295: --- Commit 9dfe22e08556da76d7a35a79d599f4b9a527c4e1 in tapestry-5's branch refs/heads/master from [~bobharner] [ https://git-wip-us.apache.org/repos/asf?p=tapestry-5.git;h=9dfe22e ] Fixed TAP5-2295 (denial of service vulnerability due to commons-file-upload) by upgrading commons-file-upload from 1.2.2 to 1.3.1, which also required upgrading commons-io from 2.0.1 to 2.2. Exploit found in commons-file-upload 1.3.1 Key: TAP5-2295 URL: https://issues.apache.org/jira/browse/TAP5-2295 Project: Tapestry 5 Issue Type: Dependency upgrade Components: tapestry-upload Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0 Reporter: jose luis sanchez Assignee: Bob Harner Labels: bug, commons-file-upload, security, tapestry-upload Just found that commons-file-upload 1.3.1 has a bug that can create a DOS attack . For more information, see http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older. So recommended option is to update dependency to commons-file-upload-1.3.1.jar -- This message was sent by Atlassian JIRA (v6.2#6252)
[jira] [Commented] (TAP5-2295) Exploit found in commons-file-upload 1.3.1
[ https://issues.apache.org/jira/browse/TAP5-2295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13917732#comment-13917732 ] Bob Harner commented on TAP5-2295: -- Fixed in 5.4, but still need to do the same for 5.3.x. Note that we want to avoid commons-io version 2.4 for now because it requires JDK 1.6. Exploit found in commons-file-upload 1.3.1 Key: TAP5-2295 URL: https://issues.apache.org/jira/browse/TAP5-2295 Project: Tapestry 5 Issue Type: Dependency upgrade Components: tapestry-upload Affects Versions: 5.3.5, 5.3.6, 5.3.7, 5.4, 5.2.0 Reporter: jose luis sanchez Assignee: Bob Harner Labels: bug, commons-file-upload, security, tapestry-upload Just found that commons-file-upload 1.3.1 has a bug that can create a DOS attack . For more information, see http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html I do believe commons-file-upload 1.2.2 it's been used in tapestry-upload since version 5.2 at least, or even older. So recommended option is to update dependency to commons-file-upload-1.3.1.jar -- This message was sent by Atlassian JIRA (v6.2#6252)