[TAPESTRY-1915] AssetEncoder doesn't handle invalid paths missing a digest - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 4.1.1, 4.1.2, 4.1.3, 4.1.5
Fix Version/s: 4.1.6
Component/s: Framework
Labels:
None

Description

AssetEncoder.decode() has this line:

int slashx = pathInfo.indexOf('/', 1);

but never checks for slashx == -1 before using it in:

encoding.setParameterValue(AssetService.DIGEST, pathInfo.substring(1, slashx));

which, if the URL didn't have another slash after "assets/", causes a StringIndexOutOfBoundsException at runtime. Some automated security testing tools flag the resulting stack trace in the response as a potential risk, and it just looks bad, even though the URL was not one generated by AssetEncoder, but one obviously manipulated manually somehow.

Attachments

Activity

People

Assignee:: Andreas Andreou

Reporter:: Greg Woolsey

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 15/Nov/07 20:30

Updated:: 29/Mar/08 00:09

Resolved:: 29/Mar/08 00:09